The rash of hacking attacks on US companies over the past two years has translated into big insurance rate increases for cyber-premiums.
Insurers are also raising deductibles and sometimes limiting the amount of coverage to $100 million for companies in high-risk industries, like retailers and health insurers.
The latter group is bearing the brunt of the trend, with premiums in some cases tripling at renewal time. Average rates for retailers meanwhile surged 32 percent in the first half of this year, after staying flat in 2014.
"Some companies are struggling to find the money to buy the coverage they want," said Tom Reagan, a cyber-insurance executive with Marsh & McLennan Co.'s Marsh broker unit, speaking to Reuters.
In some cases, companies struggle to be insured at all.
Reuters also reported that testimony from Anthem General Counsel Thomas Zielinski at an August hearing of the National Association of Insurance Commissioners characterized renewal rates as "prohibitively expensive.” The insurer, which was hit with a massive breach earlier this year, was approved for only $100 million in coverage, “only after agreeing to pay the first $25 million in costs for any future attacks.”
"We have turned clients away," said Tracie Grella, the global head of professional liability at insurance giant AIG, which will insure companies up to $75 million for a cyberattack, but only for companies like top global banks that are the most adept at securing networks and mitigating cyber risk.
Warren Buffett’s Berkshire Hathaway said the same. "We will be very selective," said Danielle Librizzi, an executive with the insurer.
The higher prices and limits on liability are a correction based on actual losses by insurers associated with breaches, some say.
“Insurance is gambling with risk, and insurers need to ensure the house wins,” said Ken Westin, senior security analyst for Tripwire, in a blog post. “They do this with data to stack the deck in their favor. One of the challenges for insurers was identifying the scope of potential financial liabilities when it comes to a data breach. Much of this has been due to the lack of data to understand the potential financial impact of a breach. However, with the rise in high-profile breaches, insurers finally have data they need to assess risk and the results are staggering. Insurers see that the financial risks of a breach to a company go far beyond initial clean up and identity theft protection for customers affected. As customers, banks and even the government file lawsuits against breached companies, the financial impact of a breach is skyrocketing.
He added, “Companies that have been seeking to offset their risk by focusing on investment in insurance will be increasingly better off investing some of those funds into better cybersecurity initiatives, particularly around controls designed to detect data breaches in progress. We know that eventually prevention will fail and companies that invest in the ability to detect and quickly remediate any attacks will be in a better position to block attackers before major damage occurs.”