Exclusive: Hacking blitz drives cyberinsurance demand
Jun 14, 2011, 12:21 p.m.
By Ben Berkowitz
NEW YORK (Reuters) - The recent string of sensational hacker attacks is driving companies to seek "cyberinsurance" worth hundreds of millions of dollars, even though many policies can still leave them exposed to claims.
Companies are having to enhance not just their information technology practices but also their human resources and employee training functions just to get adequate coverage against intrusion -- and in some cases, they are also accepting deductibles in the tens of millions of dollars.
Insurers and insurance brokers say demand is soaring, as companies try to protect themselves against civil suits and the potential for fines by governments and regulators, but also as they seek help paying for mundane costs like "sorry letters" to customers.
"When you have a catastrophic type of data breach then yes ... the phones ring off the hook," said Kevin Kalinich, co-national managing director of the professional risk group at insurance broker Aon Corp
In the past few weeks, the U.S. Senate, the International Monetary Fund, defense contractor Lockheed Martin Corp.
In the days after Sony disclosed it had more than 100 million customer accounts compromised, the company said its insurance would help cover the costs of fixing its systems and providing identity theft services to account holders.
That helped drum up business for the still-growing segment of the industry, and the demand has only intensified since a more recent breach at Citigroup, which security experts said was the largest direct attack on a U.S. bank to date.
Some insurers say this is the moment the industry has been waiting for as the tide of bad news becomes so overwhelming that customers have no choice but to seek coverage. On Tuesday, Travelers
Aon's Kalinich said fewer than five percent of data breaches lead to costs of more than $20 million, and yet more and more companies are seeking to be insured for that and more to protect themselves against the shifting risk.
Large customers are going to extremes, taking out coverage for data breach liabilities of as much as $200 million, while also taking $25 million deductibles to keep their premiums down.
As with any kind of insurance, data breach policies carry all sorts of exclusions that put the onus on the company. Some, for example, exclude coverage for any incident that involves an unencrypted laptop. In other cases, insurers say, coverage can be voided if regular software updates are not downloaded or if employees do not change their passwords periodically.
"Insurers are all looking for good risks, whether it is a fire insurance company that wants a building that is sprinklered and doesn't have oily rags laying around - this is the equivalent in the IT area. They want good systems, they want good protection, they want good risk," said Don Glazier, a principal at Integro Insurance Brokers in Chicago.