Cyber crime fears drive up demand for anti-hacker insurance

High profile computer breaches are reinforcing the need for protection against cyber threats, and companies such as Allianz and Beazley are eager to step in.
High profile computer breaches are reinforcing the need for protection against cyber threats, and companies such as Allianz and Beazley are eager to step in. PHOTO: REUTERS

WASHINGTON (WASHINGTON POST) - For companies and organizations, an attack by hackers can inflict financial losses, corporate embarrassment and legal action. For insurers jumping into the brave new world of cyber crime insurance, it's free marketing for what could be a US$10 billion (S$14 billion) opportunity.

High profile computer breaches like the hack of the Democratic National Committee and the Twitter Swastika Hack are reinforcing the need for protection against cyber threats, and companies such as Allianz and Beazley are eager to step in. Insurers see coverage against hackers as one of their most promising markets, estimating that premiums will triple over the next four years.

"We are optimistic that it can develop into Allianz's and the industry's next blockbuster," Hartmut Mai, chief underwriting officer for corporate lines at Allianz's industrial insurance arm, said in an interview. "Cyber insurance is our key growth area at the moment."

A new breed of coverage couldn't come at a better time for insurers, which are struggling to expand in most of their established markets amid slow economic growth and low catastrophe claims that weigh on prices. Insurance premium income stagnated in Europe last year and is expected to grow 1.3 per cent next year, according to reinsurer Munich Re. The company estimates that cyber insurance premiums could rise to between US$8.5 billion and US$10 billion by 2020 from about US$3.4 billion currently.

Get The Straits Times
newsletters in your inbox

A further boost to demand may come from rules to be introduced next year by the European Union that will require companies to report cyber breaches to regulators and affected individuals.

Allianz currently writes a double-digit million-euro amount of cyber insurance premiums and recorded 28 per cent growth last year, according to Mai. He said the product may evolve into an industry bestseller comparable to directors-and-officers liability insurance, which became a top offering during the last decade and now accounts for about 10 billion euros in global premiums.

"Cyber risk has become a boardroom issue over the past years, following some high profile hacker attacks," Paul Bantick, head of cyber insurance at Beazley, said in an interview. "We haven't seen the big breaches at the retailers such as in 2015 or the large health-care breaches that occurred in 2016. Yet, there's still a high frequency of smaller losses."

Cyberattacks involving ransomware - in which criminals use malicious software to encrypt a user's data and then extort money to unencrypt it - increased 50 per cent in 2016, according to a report from Verizon Communications Inc. Criminals increasingly shifted from going after individual consumers to attacking vulnerable organizations and businesses, the report said.

Government organizations were the most frequent target of these ransomware attacks, followed by health-care businesses and financial services, according to data from security company McAfee Inc., which partnered with Verizon on the report.

While companies have had decades, and in some cases centuries, to work out the risks of fire, natural catastrophes and physical theft, cyber crime is relatively recent, with new and more sophisticated schemes being developed every year. With damages on the rise, the biggest challenge for insurers is to set the right price and limits for their coverage.

One in four medium-sized businesses in Germany have suffered a loss from a hacker attack, according to a survey published March 28 by Germany's GDV insurance lobby group."For insurers to stay relevant in an ever more technology-driven business environment, they need to embrace the opportunity while properly managing the risks," Thomas Seidl, an analyst at Sanford C. Bernstein in London, said in a note to clients on April 24.

Like Munich Re and Allianz, Beazley also sees rapid growth in cyber insurance. The Lloyd's of London insurer partners with Munich Re to provide the product and it's running the book at a profit. To make sure that continues, insurers are careful not to take overly large risks in the nascent market."We limit our coverage to US$100 million per client, of which both Munich Re and Beazley take US$50 million," Beazley's Bantick said.

"In bigger programmes, the $100 million is just a first part, with others providing additional coverage." The scope of cyber insurance varies from one provider to the other. Typically, it protects against data and network security breaches and associated losses, and insurers limit their capacity to between US$5 million and US$100 million per client.

A customer fact sheet prepared by insurer Chubb Ltd., which counts the US as its largest market, described a claim where hackers gained access to a school district's network to steal names, addresses and account information from 20,000 past and present faculty and students. Compensation included settlements from compromised individuals, costs of responding to a regulatory investigation and public relations fees. Other cases included a data center for an online retailer that was forced to shut down temporarily and a car components maker whose system was encrypted to extort ransom.

A recent study by risk modeler Risk Management Solutions Inc. found that "if all US businesses had cyber insurance, over US$5 billion a year would be lost to the insurance industry from cyber data exfiltration alone. Data breaches are the leading cause of cyber insurance loss."

One concern is that a global cyber event such as a devastating virus spreading from Asia to Europe and the US or a global cloud computing provider breaking down could affect a large number of companies covered by one insurer."A hurricane with a probability of happening once in 25 years could cost us as much as US$150 million and the whole industry about US$30 billion," said Hiscox CEO Bronek Masojada in an interview.

"Due to the lack of history, the question with cyber is whether a US$30 billion loss happens once in 25 years or once in 100 years. The most important question is whether we will be alive after it." In terms of growth, "cyber is by far the most important part" of the business at Hiscox right now, he said. The London-based insurer will write more than US$100 million in cyber premiums this year at a growth rate of 20 per cent to 30 per cent, Masojada estimated.

Cyber insurance premiums at Beazley already exceed US$400 million, excluding broker commissions, Bantick said. Munich Re's premium income from the product rose to US$263 million last year from US$191 million in 2015. The Munich-based reinsurer aims to keep a market share of 8 percent to 10 percent going forward, reinsurance head Torsten Jeworrek said.

Beazley's Bantick says his company is "starting to see shoots of demand in Europe, Latin America and Asia." Allianz's Mai agrees, adding that he sees last year's strong growth rates as "the product's final breakthrough in Europe." Prices are on the rise as well. In the US, cyber-liability rates climbed for the 10th consecutive quarter at the end of last year while rates continued to decline in most other global insurance lines, according to a report by broker Marsh & McLennan Cos.

"While there are a lot of companies buying cyber coverage, most of them are data-breach driven," Beazley's Bantick said. "But clients are looking for large, holistic cyber programs that cover whatever happens from data breach to property damage and business interruption." Leoni's experience is a lesson in the complexity of cyber risks.

The German cable manufacturer lost 40 million euros last year when fraudsters used fake electronic communication to trick an executive into transferring the cash to foreign accounts. In the end Leoni got about 5 million euros from fidelity insurance it had. Even though the company had sufficient cyber insurance in place, it didn't apply because the fraudsters didn't hack the company's systems.