As hackers lurk, companies turn to cyber insurance

Hacking that targets individuals and business is now a way of life. And since it can't be stopped, potential victims need protection against the kind of attacks witnessed this week with the "WannaCry" ransomware attacks

This has created a vast and growing market for cyber insurance, costing companies at least $3.25 billion each year in annual premiums. But that's a drop in the bucket compared to what they will pay to insurers by 2025 – as much as $20 billion, according to Allianz SE, the world's largest insurer. There is also a market for individuals who fear that they, or their families, could be hacked.  

"When this began on Friday, our phones started ringing and they haven't stopped," said Tom Reagan, cyber practice leader for Marsh, an insurance broker unit of professional services firm Marsh & McLennan. "This is a global pandemic."

Cyber insurance is now generally its own market, Reagan said. Standalone cyber coverage has grown by more than a quarter in recent years at Marsh.

According to the Insurance Information Institute (III), which represents the property-casualty industry, the number of data breaches continues to grow each year, with at least 500 million in the first half of 2016 alone. Losses from hackers amounted to at least $1.5 billion that year, and are likely to swell even more this year due to the WannaCry hack. Cyber incidents are now the third-largest global business risk, the group said in a presentation.

There is no cure as long as hackers continue to hide in secret places on the internet's dark web, and rogue nations shelter them.

All the publicity has prompted new insurers to enter the market, thereby lowering the price of premiums. They are adding new layers of protection and working with smaller businesses that might have previously thought they were immune to hacking, but are finding out they're not.

Companies that were already hacked because they were viewed as easy targets, like retailers, have hardened themselves against future breaches. 

"They've invested tens of billions for risk control, such as pin (or chip) technology so they are seeing favorable rate changes," Reagan said. And such precautions have paid off -- the U.S. was one of the least affected nations in the last attack.  

But there are still given industries, such as health care, where rates are going up. Health care providers often easily hacked because compliance laws that make data entry easier also make it hard to keep hackers out. According to the III, medical and health care records represent 35 percent of all data breaches and more than half of all records stolen.

Other coverages, such as liability and property-casualty, usually deal only with physical events. Cyber coverage deals with information theft and loss. And even if a company can deflect a cyberattack by itself, it can still be crippled if a major supplier, client or distribution network is shut down. It can also face legal costs from consumer class action lawsuits, and experience problems restoring data lost to the hackers.

Chubb (CB), a high-end property insurer, is among the insurers that offers cyber protection. Normally such policies are "riders" to a basic home insurance policy, and add to its cost. Reputational risk is a concern for the wealthy and famous, who are also worried about their children being "cyberbullied," Chubb said.

Hartford Steam Boiler, a unit of German insurer Munich Re, points out how easily families can be hacked. "Home devices like smart TVs and appliances are often designed for easy use and not security," said Timothy Zellman, counsel for Hartford, in a company survey. Right now, only 10 percent of those surveyed were victims, but that number could grow because consumers don't generally change passwords or take security precautions with all their devices. Hartford was the first to offer home hacking policies.

While the numbers are small, the losses from a hack can be "quite substantial," according to Hartford. Nearly half spent as much as $5,000 to recover from the breach. "The problem will likely get worse," said Zellman.    

In 40 percent of all hack attacks, ransomware is the goal, said the III. Most hackers simply hold the computer and data for ransom, usually paid in anonymous "bitcoin."

"We have a dilemma with this," Reagan said. "We know clients are making these payments. And we know that paying ransomware is increasingly a more common offering in cyber insurance contracts."

But there isn't a lot a company can do. Although WannaCry extorted less than $100,000, the damage from reduced productivity and other economic losses could rise into the billions. Most CEOs might opt to pay the "go away" money rather than face the alternative. The average data breach in the U.S. last year cost a company $7 million, said III.

Disney (DIS) could be an exception. Chief Executive Robert Iger said that his company had to make a tough decision when hackers threatened to release its latest "Pirates of the Caribbean" movie. He refused to pay and turned the case over to the FBI.

What happened to Disney shows just how wide hackers have spread their net. And they are likely to downsize to small and midsize companies, which are going to need cyber insurance. In some instances, they need it more than larger firm because their lack of in-house security makes them even more vulnerable. More than 60 percent of all attacks are now aimed at modest-sized businesses, III said.

So what can companies do? Insurers and brokers like Marsh have anti-hack units that offer advice on ways to prevent these attacks, including looking at a company from a criminal's point of view. 

"You may think you're safe, but if someone sees the lights off and a bunch of newspapers outside the door, they know you're not at home," Reagan said.

Companies can also conduct "tabletop exercises," planning an attack and then thwarting it. "The first phase of an attack is the data breaches," he said. "Then system outages, and then extortion."

  • Ed Leefeldt

    Ed Leefeldt is an award-winning investigative and business journalist who has worked for Reuters, Bloomberg and Dow Jones, and contributed to the Wall Street Journal and the New York Times. He is also the author of The Woman Who Rode the Wind, a novel about early flight.