Cyber Crime Drives Up The Cost Of Insurance

For companies and organisations, an attack by hackers can inflict financial losses, corporate embarrassment and legal action. For insurers jumping into the brave new world of cyber-crime insurance, it’s free marketing for what could be a $10 billion opportunity.

High-profile computer breaches like the hack of the Democratic National Committee and the Twitter Swastika Hack are reinforcing the need for protection against cyber threats, and companies such as Allianz SE and Beazley Plc are eager to step in.

Insurers see coverage against hackers as one of their most promising markets, estimating that premiums will triple over the next four years.

“We are optimistic that it can develop into Allianz’s and the industry’s next blockbuster,” Hartmut Mai, chief underwriting officer for corporate lines at Allianz’s industrial insurance arm, said in an interview. “Cyber insurance is our key growth area at the moment.”

A new breed of coverage couldn’t come at a better time for insurers, which are struggling to expand in most of their established markets amid slow economic growth and low catastrophe claims that weigh on prices. Insurance premium income stagnated in Europe last year and is expected to grow 1.3 percent next year, according to reinsurer Munich Re. The company estimates that cyber insurance premiums could rise to between $8.5 billion and $10 billion by 2020 from about $3.4 billion currently.

A further boost to demand may come from rules to be introduced next year by the European Union that will require companies to report cyber breaches to regulators and affected individuals.

Allianz currently writes a double-digit million-euro amount of cyber insurance premiums and recorded 28 percent growth last year, according to Mai. He said the product may evolve into an industry bestseller comparable to directors-and-officers liability insurance, which became a top offering during the last decade and now accounts for about 10 billion euros ($11 billion) in global premiums.

Boardroom Issue
“Cyber risk has become a boardroom issue over the past years, following some high profile hacker attacks,” Paul Bantick, head of cyber insurance at Beazley, said in an interview. “We haven’t seen the big breaches at the retailers such as in 2015 or the large health-care breaches that occurred in 2016. Yet, there’s still a high frequency of smaller losses.”

Cyberattacks involving ransomware -- in which criminals use malicious software to encrypt a user’s data and then extort money to unencrypt it, increased 50 percent in 2016, according to a report from Verizon Communications Inc. Criminals increasingly shifted from going after individual consumers to attacking vulnerable organisations and businesses, the report said.

Government organisations were the most frequent target of these ransomware attacks, followed by health-care businesses and financial services, according to data from security company McAfee Inc., which partnered with Verizon on the report.
While companies have had decades, and in some cases centuries, to work out the risks of fire, natural catastrophes and physical theft, cyber-crime is relatively recent, with new and more sophisticated schemes being developed every year. With damages on the rise, the biggest challenge for insurers is to set the right price and limits for their coverage. One in four medium-sized businesses in Germany have suffered a loss from a hacker attack, according to a survey published March 28 by Germany’s GDV insurance lobby group. 
“For insurers to stay relevant in an ever more technology-driven business environment, they need to embrace the opportunity while properly managing the risks,” Thomas Seidl, an analyst at Sanford C. Bernstein in London, said in a note to clients on April 24.

Like Munich Re and Allianz, Beazley also sees rapid growth in cyber insurance. The Lloyd’s of London insurer partners with Munich Re to provide the product and it’s running the book at a profit. To make sure that continues, insurers are careful not to take overly large risks in the nascent market.
“We limit our coverage to $100 million per client, of which both Munich Re and Beazley take $50 million,” Beazley’s Bantick said. “In bigger programs, the $100 million is just a first part, with others providing additional coverage.”

The scope of cyber insurance varies from one provider to the other. Typically, it protects against data and network security breaches and associated losses, and insurers limit their capacity to between $5 million and $100 million per client.
A customer fact sheet prepared by insurer Chubb Ltd., which counts the U.S. as its largest market, described a claim where hackers gained access to a school district’s network to steal names, addresses and account information from 20,000 past and present faculty and students. 

Compensation included settlements from compromised individuals, costs of responding to a regulatory investigation and public relations fees. Other cases included a data center for an online retailer that was forced to shut down temporarily and a car components maker whose system was encrypted to extort ransom.

A recent study by risk modeler Risk Management Solutions Inc. found that “if all U.S. businesses had cyber insurance, over $5 billion a year would be lost to the insurance industry from cyber data exfiltration alone. Data breaches are the leading cause of cyber insurance loss.”

Global Event
One concern is that a global cyber event such as a devastating virus spreading from Asia to Europe and the U.S. or a global cloud computing provider breaking down could affect a large number of companies covered by one insurer.
“A hurricane with a probability of happening once in 25 years could cost us as much as $150 million and the whole industry about $30 billion,” said Hiscox CEO Bronek Masojada in an interview. “Due to the lack of history, the question with cyber is whether a $30 billion loss happens once in 25 years or once in 100 years. The most important question is whether we will be alive after it.”

In terms of growth, “cyber is by far the most important part” of the business at Hiscox right now, he said. The London-based insurer will write more than $100 million in cyber premiums this year at a growth rate of 20 percent to 30 percent, Masojada estimated. 

Cyber insurance premiums at Beazley already exceed $400 million, excluding broker commissions, Bantick said. Munich Re’s premium income from the product rose to $263 million last year from $191 million in 2015. The Munich-based reinsurer aims to keep a market share of 8 percent to 10 percent going forward, reinsurance head Torsten Jeworrek said. 

Europe Awakes
Beazley’s Bantick says his company is “starting to see shoots of demand in Europe, Latin America and Asia.” Allianz’s Mai agrees, adding that he sees last year’s strong growth rates as “the product’s final breakthrough in Europe.”
Prices are on the rise as well. In the US, cyber-liability rates climbed for the 10th consecutive quarter at the end of last year while rates continued to decline in most other global insurance lines, according to a report by broker Marsh & McLennan Cos.
“While there are a lot of companies buying cyber coverage, most of them are data-breach driven,” Beazley’s Bantick said. “But clients are looking for large, holistic cyber programs that cover whatever happens from data breach to property damage and business interruption.”

Leoni AG’s experience is a lesson in the complexity of cyber risks. The German cable manufacturer lost 40 million euros last year when fraudsters used fake electronic communication to trick an executive into transferring the cash to foreign accounts. In the end Leoni got about 5 million euros from fidelity insurance it had. Even though the company had sufficient cyber insurance in place, it didn’t apply because the fraudsters didn’t hack the company’s systems.

Bloomberg:

You Might Also Read:

Company Lost $44m Through One Email Fraud:

Hackers Steal $50 Million From Leading Aviation Design Company:

Systemic Cyber Attacks Most Likely In Finance & Energy Industries:

Cyber Should Be Standalone Insurance:

 

 

« Industrial Robots Are A Security Weak Link
Trump Signs Cybersecurity Order »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

DLA Piper

DLA Piper

DLA Piper is a global law firm with offices throughout the Americas, Asia Pacific, Europe and the Middle East. Practice areas include Cybersecurity.

Intrinsic-ID

Intrinsic-ID

Intrinsic-ID's authentication technology creates unique IDs and keys to authenticate chips, data, devices and systems.

Cyber Defense Agency (CDA)

Cyber Defense Agency (CDA)

Cyber Defense Agency is a premier professional services firm specializing in cyber security, computer network defense, and information security.

Phew

Phew

Phew are New Zealand cyber security specialists with expertise and experience forged in global financial markets, IT&T, management consulting and SME business management.

Excelerate Systems

Excelerate Systems

Excelerate Systems is a leading provider of IT services with a focus on Big Data, Cloud Services and Security.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

CyberSwarm

CyberSwarm

CyberSwarm is developing a neuromorphic System-on-a-Chip dedicated to cybersecurity which helps organizations secure communication between connected devices and protect critical business assets.

NJVC

NJVC

NJVC delivers IT automation, optimization and security to empower mission-enabling IT for customers with secure requirements.

Red River

Red River

Red River is a technology transformation company, bringing 25 years of experience and mission-critical expertise in analytics, cloud, collaboration, mobility, networking and security solutions.

Winterhawk

Winterhawk

Winterhawk is a specialist and leading global Cyber, ESG, GRC, Risk & Identity consulting practice.

Coviant Software

Coviant Software

Coviant Software delivers secure managed file transfer (MFT) software that integrates smoothly and easily with business processes.

Halcyon

Halcyon

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks.

Protecto

Protecto

Make privacy and governance effortless. Brakes allow you to drive faster. Stronger data privacy and security enable companies to unlock the full potential of the data.

Cyber and Fraud Centre – Scotland

Cyber and Fraud Centre – Scotland

The Cyber and Fraud Centre – Scotland exists to ensure Scottish organisations are as resilient as they can be against cyber and fraud crime.

ThreatCaptain

ThreatCaptain

ThreatCaptain is a Cybersecurity Leadership Development Company driven to enhance and illuminate cybersecurity risk through strategic alignment and informed business decision-making.

Nothreat

Nothreat

Nothreat has revolutionized how businesses like yours protect themselves from damaging cyber attacks. Our tech learns and adapts in real time, protecting clients from even zero-day attacks.