Demand for cybersecurity insurance is booming as a string of high-profile hacks and data breaches spurs explosive growth in what has suddenly become a $2 billion industry.
The recent cyberattack on Sony Pictures Entertainment, which brought losses and public embarrassment to the company, has only accelerated years of steady growth that is expected to expand into new sectors of the economy in 2015.
“Off the charts,” Bob Parisi, the national cyber risk product leader at insurance firm Marsh, said of the spike in business. “Kind of the hockey stick analogy.” After two or three years of 35 percent to 50 percent growth, “we saw that pace looking like it was doubling, in some areas tripling” in 2014, Parisi said. Major data breaches at Target, Home Depot and JPMorgan, which collectively exposed the information of hundreds of millions of consumers and cost the companies millions of dollars, have heightened businesses’ concerns that they could be next.
The Sony hack served to demonstrate the breadth of the risk, forcing industries not typically targeted by digital criminals to ask themselves: “What do we insure?” For a rapidly increasing number, the answer is: “Everything.” “Every major breach gets companies off the sidelines and moves them towards purchasing,” said Matthew McCabe, a senior vice president with Marsh’s network security and data privacy division.
When a hack is in the news, McCabe gets calls from companies he had previously spoken with about cyber insurance. He said they often ask him, “You know those quotes you brought to us, are those still good? Let’s buy.” The Sony attack “is going to increase the degree to which people seek cyber insurance,” said Jonathan Handel, a former computer scientist and entertainment law professor at the University of Southern California Gould School of Law. “This is really a wake-up call, I think, in terms of IT policies and in terms of IT exposure.”
The reason to buy cyber insurance is obvious: Data breaches are expensive. When a company is breached, it has to navigate 47 different state notification laws, reach out to customers, pay for credit monitoring for those affected, hire forensic investigators and repair its systems. And that’s before the inevitable lawsuits. Target is facing not only a shareholder class action suit but also a joint lawsuit from major banks demanding reimbursement for the costs of reissuing credit cards.
According to research at data-breach response firm Experian, the average costs for a breached company total $9.4 million over a 24-month period. On the high end, some major hacks have set firms back more than $100 million, said Michael Bruemmer, vice president of Experian’s Data Breach Resolution group.
The Sony hack, which the government blamed on North Korea, has shown data breaches can also lead to indirect costs that are harder to quantify. Illegal copies of the movie studio’s films were leaked online, hitting box office revenue. The controversial comedy that spurred the cyber assault, “The Interview,” is still not expected to make what it would have with a wide theatrical release, despite record online sales.
Leaked internal documents revealed gender pay discrepancies in actor’s salaries as well, reportedly driving actress Charlize Theron to negotiate a multimillion-dollar pay raise for an upcoming film. “Now you’re bringing nation-state and potentially competitor knowledge risk to the table,” said Rena Mears, a managing director with BuckleySandler who has advised companies on managing data risks for decades. “Cybersecurity insurance is having to deal with that broader set of risks.”
“I think now filmmakers and producers and production companies may ask for cybersecurity insurance to be an add-on,” said Kathryn Arnold, a veteran film producer. Roughly 30 to 40 percent of companies carry some type of cybersecurity insurance, according to Bruemmer. “More importantly,” he said, “about another third of companies have said in the next 12 months that they’re going to buy a policy.” Companies are looking not just to cover their immediate costs, but for insurance covering the full suite of actions they would have to take in the event of a breach.
While the cyber insurance industry started out mostly covering discrete costs related to lost credit card information, a robust cyber insurance package now provides a lawyer to navigate data breach laws and brings in the best vendor to investigate the cyberattack. The entire response “is quarterbacked by the cyber insurance carrier,” Bruemmer said.
For companies not used to fighting off hackers, this might present an attractive option, which may explain why cyber insurance adoption is expected to briskly rise in sectors that aren’t directly customer-facing, including manufacturing, life sciences, food production and utilities. “That’s where we’re starting to see the growth,” Parisi said.
Cybersecurity insurance is already heavily concentrated in the retail, healthcare, tech and telecom sectors, where roughly 75 to 80 percent of larger companies have cyber insurance, Parisi explained. Widespread adoption could drive a “virtuous cycle,” said Mears, of BuckleySandler. To get useful cybersecurity insurance, companies must first thoroughly evaluate their cyber risks, something the government has been pressing the private sector to do for years. In the long term, Mears believes, these evaluations could bolster the private sector’s cyber defenses. “I’m hopeful,” she said.