Hackers are wreaking havoc on big organizations, but they're also spurring a new market — cyberattack liability insurance.
Once-complacent businesses, stung by debilitating cyberattacks at Target Corp., JPMorgan Chase Co. and other well-known companies, are on a cyberattack insurance shopping spree.
"Everyone's swamped with new applications," said Nick Economidis, an underwriter at cyberattack insurance provider Beazley Group.
The hack of health insurer Anthem Inc.'s computer system — a breach disclosed last week affecting up to 80 million customers — is bound to create more demand.
Spending on cyberattack insurance nearly doubled in 2014 from 2013, to about $2 billion, according to industry analysts.
Insurance offices are struggling to keep pace. Nearly every insurance agent polled last fall by reinsurer PartnerRe Ltd. reported growing demand for cyberattack liability insurance, with 45% reporting a "significant" uptick. Beazley said the number of policies in its book rose 150% from 2012 to 2013 and 100% from 2013 to 2014.
Ty Sagalow, an industry consultant and former chief operating officer for AIG's EBusiness division, said the growing sense that cyberattacks are no longer unusual events is dialing up the fear factor.
"Think of a massive cyberattack as an intelligent hurricane," he said. "If it hits a house that doesn't fall down it learns why the house didn't fall and it changes. "It is a scary thing.… Scary things sell insurance."
The insurance policies can cover the long lists of costs and losses, including patching holes in computer networks, locating culprits, notifying affected consumers and battling lawsuits, as well as foregone business and public relations campaigns.
As the costs of cyberattacks rise, insurers are limiting their maximum payouts and requiring high deductibles, said Karl Pedersen, senior vice president at insurance brokerage and risk advisor Willis.
Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million, leaving the company $158 million in the hole — plus what it paid for cyberattack insurance.
Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.
Last week, Sony Corp. announced a $15-million tab from the hack against Sony Pictures Entertainment a few months ago, but would say only that it received a "substantial portion" back from insurance.
The cyberattack on Anthem, in which Social Security numbers were stolen, will be covered by insurance and result in a "minimal" financial hit, according to financial analysts who follow the company.
Premiums and deductibles vary based on the value of the data at risk, a company's loss history and the strength of its defenses. Strong cyberdefenses aren't always a ticket to lower premiums, though, because most breaches stem from more mundane mishaps, such as an employee losing a laptop full of sensitive information. Such incidents can be just as costly.
Until recently, the appeal of cyberattack insurance has been limited mostly to big corporations. But smaller companies are now flooding into the market, industry watchers say, partly driven by mandates from companies with which they do business. Target's breach is reported to have been linked to a vulnerability in a computer system used by one of its heating and air conditioning contractors. To shield themselves from exposure, large companies are requiring contractors, including engineers, architects and others, to buy data loss coverage.
Colleges have been another big buyer. Marsh & McLennan Cos., a risk management company and insurance broker, saw a 58% surge from 2013 to 2014 in the number of colleges buying cyberattack insurance.
Among the groups sitting out the cyberattack insurance rush are technology start-ups short on cash and deep into their work, said Linda Kornfeld, an attorney at Kasowitz Benson Torres & Friedman, who advises companies about cyberattack insurance.
"Many folks are focused on getting their business up and profitable before looking at risks," she said.