Cyber Insurance Gains New Converts

Cyber Insurance Gains New Converts

Companies in the financial services, healthcare and retail industries were first to recognize the need for cyber liability insurance coverage because their valuable data is prized by hackers.

While they created initial demand for cyber liability insurance coverage, businesses in other sectors felt that cyber insurance was not needed.

Now, as cyber threats and costs continue to rise, businesses in other sectors are catching on—looking more deeply at cyber coverage and purchasing insurance policies, according to this article from Edward Iwata, the second in a series from

“Without question, companies in a variety of sectors recognize that they have significant cyber and privacy risks, and they are looking to transfer that risk,” said Jason Straight, chief privacy officer at UnitedLex, a legal services outsourcing firm.

Among the new converts:

•    Hospitality. Prestige Cruises International, the Miami-based operator of Seven Seas Cruises, carries network security and privacy liability insurance to help offset potential costs for data breach response, notification, forensics, legal and regulatory actions, credit identity monitoring and fraud alert and other expenses.
•    Gaming and sports entertainment. Churchill Downs, home of the Kentucky Derby, disclosed in an SEC filing that it carries wide-ranging cyber insurance to guard against the potential fallout from cyber attacks. Risks covered include “network security, first-party extortion threats and business interruptions.”.”
•    Energy. RGC Resources, a natural gas company based in Roanoke, Va., with 58,000 residential and commercial customers, noted in its 2014 annual report that it carries cyber insurance coverage “to mitigate financial implications” and a security-response plan “to reduce the impact of cyber attacks and data breaches.”

Several factors are driving cyber insurance into the risk management spotlight. For one, the hacking of marquee companies and agencies continue to grab headlines, stirring regulators at the federal and state levels to impose tighter rules on handling sensitive data. Case in point: the fallout of the U.S. Office of Personnel Management breach.

Meanwhile, the commercial leveraging of the Internet shows no sign of slowing down. Storage of sensitive business and personal data has shifted to hosted cloud services. And consumers and workers increasingly access business data via web-connected mobile devices. This trend is multiplying exposure to insider theft, social engineering, clever hacking—and various combinations of these data-stealing techniques.

Industry responds as exposure risks grow

The insurance industry is motivated to develop this new market. Carriers introduced 38 new cyber insurance products in 2013, up from 32 new cyber coverages in 2012, said insurance consultancy Advisen Ltd. The insurance industry’s innovative blood is flowing as carriers scramble to tap what’s viewed as a rich vein of fresh revenue and profits.

According to insurance brokerage giant Marsh, the 2014 growth rates for clients buying cyber insurance policies soared by:

•    69% in hospitality and gaming
•    58% in education
•    47% in power and utilities
•    43% in retail/wholesale
•    35% in manufacturing, and
•    27% in professional services

Marsh says that its clients buying cyber policies rose 32 percent in 2014 from 2013, and the pace is quickening in 2015. And a wide range of reports show that 31 percent to 52 percent of companies have some type of cyber insurance, according to research by the Insurance Information Institute.

In the meantime, the demand for cyber insurance keeps growing in the traditionally strong sectors of retail, health care and financial services.

An Advisen report compiled for reinsurer PartnerRe concludes that “the continued increase in demand suggests that rather than being saturated, there is still plenty of scope for growth in these highly exposed sectors.”

These heady growth rates, of course, are off of a comparatively small base. The $2 billion U.S. cyber-insurance market is a tiny chunk of the multibillion-dollar insurance industry.

Reality of threats starts to sink in

More businesses in diverse sectors are beginning to realize that virtually all of their operations use technology that is vulnerable to cyber attacks, says Robert Parisi, managing director at Marsh FINPRO.

Such wide-ranging “operational cyber risk” includes manufacturing, distribution, supply chains, inventory, point-of-sale systems—virtually all aspects of a company, Parisi points out.

And in an Internet-centric economy, where partnerships routinely involve companies of all sizes collaborating remotely, risks can swiftly migrate to all of the partners. A small business blind to cyber exposures can prove to be the weak link through which hackers navigate to larger partner organizations.

To address these emerging exposures, security vendors and insurance carriers alike are innovating and marketing new products and services to both large enterprises and small and mid-size businesses.

Less than 3 percent of businesses with revenue of less than $1 million carry cyber insurance, according to Advisen. That notion is not lost on carriers eager to sell cyber policies to small companies.

Nate Spurrier, director of business development for CyberScout, said that cyber insurance will become “a standard solution in the market” when small businesses see other small businesses having breaches—“instead of only the Targets and Sonys and Home Depots of the world.”

This article originally appeared on