Target, Michaels, eBay, JPMorgan Chase, the New York Times, Google, Anthem, the U.S. Government… The list of high profile data breaches grows longer each day, and doesn’t include the countless number of small businesses that have had their data compromised in attacks we may never hear about.
Given the frequency and high cost of recent cyber attacks, it’s no surprise that cyber insurance is one of the fastest growing areas in the insurance industry. It seems no industry is immune. Examples of cyber attacks on organizations can be found in education, financial services, nonprofits, professional services, manufacturing, hospitality, retail and – as the Anthem breach illustrates – even the insurance industry. The Ponemon Institute 2014 Global Report on the Cost of Cyber Crime found that U.S. companies spend an average of $12.7 million a year on cyber attacks and data breaches.
It is no surprise that 80% of property/casualty insurance executives believe cyber insurance is a major growth area for commercial insurers, according to a recent survey by the Insurance Information Institute.
With clients of all sizes and across all industries, independent agents are on the front lines of this emerging opportunity and can help clients protect themselves from cyber threats. Here are six things agents need to know about the cyber insurance market:
1. The cyber threat is a growing problem. A Symantec 2014 Internet Security Threat Report reported the number of data breach incidents grew 62% from the previous year. Add to that all the breaches that went unreported or worse, undetected. The use of connected devices such as cameras, cell phones and other digital equipment and emerging technologies like the cloud are opening the door to more cyber attacks and exposing businesses to greater liability.
Cyber risks can include identity theft of credit card or personal information, business interruption, reputation damage, data theft, software corruption and human error, the cost of credit monitoring services for customers impacted by identity theft, as well as lawsuits. According to Ponemon, the most costly cyber crimes are those caused by malicious insiders, denial of services and web-based attacks, accounting for more than 55% of all cyber crime costs per organization on an annual basis.
2. Not all data, and cyber liability, is the same. Most organizations keep data on their business, employees and customers. An organization will have different levels of possible exposure depending on the types of data they collect. This makes it difficult to compare the risk from one company to another. A doctor’s office with patient data including names, addresses, Social Security numbers and other personal information may be more attractive to a cybercriminal than a bakery, for example. Actuarial data for underwriters is hard to quantify, so cyber policies are often based on qualitative assessments. One size does not fit all.
There are two types of cyber liabilities that threaten businesses. First-party cyber liability refers to risks that can expose data on a company’s own network, such as when the personal information of 110 million Target customers was stolen. Third-party cyber liability refers to risks that threaten data on a client’s network. In the Target example, the transaction software developer may face liability. Third-party insurance has grown faster than first party, but laws regulating data privacy and critical infrastructure will drive sales in the first-party insurance market.
3. Many businesses don’t understand the threat. Carriers that offer cyber protection report that 40% of their clients say they don’t need it and another 29% think they are covered under existing policies, according to a 2014 study by Hanover Research.
It doesn’t take much for disaster to strike. Consider a business owner who accidentally installs malware on his point-of-sale devices. In an instant, hackers have access to customer names, credit card numbers and other personal information. That business has had a data breach that will cost it thousands of dollars in damages to its reputation, legal fees, software upgrades, credit monitoring and other out-of-pocket expenses. It may only cost that business owner $10,000 to $30,000, but for a small business client, that is a lot of money and could force them out of business.
Next page: 3 more things agents need to know about the cyber insurance market