Attacks spur surge in cyber insurance sales
Simply sign up to the US & Canadian companies myFT Digest -- delivered directly to your inbox.
Sales of “cyber insurance” policies have surged almost a third at AIG, the biggest standalone insurer in the US, as companies seek to protect themselves from a growing onslaught of cyber attacks and data breaches.
“What we’ve been seeing is significant growth,” said Tracie Grella, who oversees AIG’s cyber insurance initiatives, as its head of professional liability. Sales of cyber insurance jumped 30 per cent last year compared with 2012, she said.
While cyber attacks – such as the recent security breach at Target – are on the rise globally, the market for the cyber insurance insurance policies remains a patchwork of highly-customised policies dominated by a few big insurance providers.
Only 31 per cent of US companies have cyber insurance policies, according to a report by Experian last year. A report from Betterley Risk Consultants, which provides risk management research, estimated in June that the annual gross written premium for US cyber insurance policies was $1.3bn.
“It’s an immature market,” says Karl Schimmeck, vice-president of financial services operations at Sifma, an industry group for financial companies that last year spearheaded a simulated widescale cyber attack on Wall Street.
“The risks are not very well understood. There’s not a lot of historical information that insurance companies can call on to quantify their risk. That’s part of the problem.”
The issue has drawn the attention of the US government, which is hoping to encourage growth in the market for cyber insurance, to enable more companies to insulate themselves from the financial impact of attacks.
In the UK, the government will on Thursday warn British companies of the increased risk of cyber attacks when conducting mergers and acquisitions, because of the sharing of information between participants electronically.
“The very success features of a corporate finance transaction also create vulnerabilities that can be exploited by malign interests that want to access very sensitive commercial data, transaction information and intellectual property,” said David Willetts, UK minister for Science and Universities.
To increase awareness of this specific threat, the UK government is issuing guidelines to UK companies – citing the example of a FTSE 350 group that suffered a sustained compromise of sensitive data after acquiring a company with poor network security.
William Stewart, senior vice-president at Booz Allen Hamilton, a US government contractor with a significant cyber security operation, said new US guidelines would open the door for the cyber insurance market to grow in 2014.
But he warned the guidelines on how critical infrastructure owners should protect themselves currently being assembled by the National Institute of Standards and Technology (Nist) would only be a step in the right direction rather than a “panacea”.
“The problem with cyber analysis is that is it is very unpredictable, hard to understand what the potential loss will be,” he said. “I think there’s a benefit to the insurance industry getting more of a standard framework, a lexicon that is not there right now.”
But even as the government pushes companies to adopt cyber security guidelines and take up insurance policies, many remain reluctant to pay for protection which they fear may not cover the full fallout from a diverse range of cyber attacks.
Ms Grella at AIG warned: “Just because they’re talking about it doesn’t mean they buy it. Companies are underinsured and there is lots of growth potential.”
With additional reporting by Sam Jones in London
Comments