BOSTON (Reuters) - A rash of hacking attacks on U.S. companies over the past two years has prompted insurers to massively increase cyber premiums for some companies, leaving firms that are perceived to be a high risk scrambling for cover.
On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million (65 million pounds), leaving many potentially exposed to big losses from hacks that can cost more than twice that.
“Some companies are struggling to find the money to buy the coverage they want,” said Tom Reagan, a cyber insurance executive with Marsh & McLennan Co’s Marsh broker unit.
The price of cyber coverage - which helps cover costs like forensic investigations, credit monitoring, legal fees and settlements - varies widely, depending on the strength of a company’s security. But the overall trend is sharply up.
Retailers and health insurers have been especially hard hit by the squeeze after high-profile breaches at Home Depot Inc, Target Corp, Anthem Inc and Premera Blue Cross.
Health insurers who suffered hacks are facing the most extreme increases, with some premiums tripling at renewal time, said Bob Wice, a leader of Beazley Plc’s cyber insurance practice.
Average rates for retailers surged 32 percent in the first half of this year, after staying flat in 2014, according to previously unreported figures from Marsh.
Higher deductibles are also now common for retailers and health insurers. And even the biggest insurers will not write policies for more than $100 million for risky customers. That leave companies like Target, which says its big 2013 data breach has cost $264 million, paying out of pocket.
No. 2 U.S. health insurer Anthem ran into difficulties renewing its coverage after an attack early this year that compromised some 79 million customer records, according to testimony from Anthem General Counsel Thomas Zielinski at an August hearing of the National Association of Insurance Commissioners.
Renewal rates were “prohibitively expensive,” according to minutes of that session seen by Reuters. The company managed to get $100 million in coverage, Zielinski said, but only after agreeing to pay the first $25 million in costs for any future attacks. The company would not say what that figure was before, but it was likely much smaller.
The spate of hacks is potentially good and bad for insurers. It means they have to pay out more in claims, but it also highlights the importance of buying insurance and gives them a reason to jack rates up.
As more companies realise the importance of having coverage, and insurers move in to meet that demand, the cyber insurance market is set to triple to about $7.5 billion over the next five years, according to a recent study by consulting firm PwC.
But insurers are wary of the hard-to-predict risks they are taking on.
“We have turned clients away,” said Tracie Grella, the global head of professional liability at insurance giant American International Group Inc.
AIG offers cyber policies that cover up to $75 million for a cyber attack, but only for companies like top global banks that have are the most adept at securing networks and mitigating cyber risk.
Another insurer, Ace Group, recently started offering up to $100 million in coverage, but only after an intensive review of potential clients’ cyber security policies and procedures.
Warren Buffett’s Berkshire Hathaway this month also launched its first cyber policies through its speciality insurance division. “We will be very selective,” said Danielle Librizzi, an executive with the insurer.
Target and Home Depot declined to comment on whether insurers had hiked rates or reduced coverage after massive breaches that exposed tens of millions of credit cards.
Target said in a filing that it expects insurance to cover just $90 million of the $264 million of costs related to its 2013 attack. Home Depot said it expects $100 million in payments towards $232 million in expenses from its 2014 breach.
“A lot of the carriers have gotten burned. They are coming back with harsher and more challenging penalties,” said Bob Shaker, a manager at Symantec Corp’s breach response team.
Insurance buyers may be able to get more than $100 million in coverage by using a syndicate of insurers organised by a broker. Even so, some have warned they may not have adequate cover.
In the wake of last year’s attack on Sony Pictures Entertainment, parent Sony Corp said its financial condition could suffer if it were attacked again, since current policies “might not cover all expenses and losses.”
Sony spokesman Mack Araki said the company expects to recover “a significant portion” of the film studio attack’s costs from insurers. He declined to elaborate or say if insurers had raised pricing or reduced the limits on its cyber coverage.
Retailers shopping for cyber insurance are coming under pressure to secure their payment systems, just as homeowners are encouraged to install locks on doors and windows.
Insurers are promoting newer technologies for securing payment card transactions that exceed credit card companies’ requirements, such as tokenisation and end-to-end encryption, said Ben Beeson, a partner with broker Lockton Companies.
“Retailers that don’t do that today are going to struggle to get insurance,” Beeson said.
But the stringent conditions on coverage could lead to the next chapter of the cyber drama: courtroom battles.
“The restrictions and terms that we are seeing in the underwriting process now will become the claim disputes we see in two or three years,” said Lynda Bennett, partner with Lowenstein Sandler. “We definitely expect more litigation.”
Reporting by Jim Finkle; Editing by Jonathan Weber, Richard Valdmanis and Bill Rigby