Insurers are massively increasing cyber insurance premiums for some companies in response to the number of major data breaches in the U.S. over the past two years, according to a recent Reuters report.
According to Marsh & McLennan, the average rates for retailers increased by 32 percent in the first half of 2015 alone, after remaining flat throughout 2014. And it’s not just about higher premiums — some companies are also finding their deductibles raised and their coverage limited.
Bob Wice, a leader of Beazley plc’s cyber insurance practice, told Reuters that health insurance companies that have been hacked are being hit the hardest, with some premiums tripling upon renewal.
At an August hearing of the National Association of Insurance Commissioners, Reuters notes, Anthem general counsel Thomas Zielinski said his company found that renewal rates for cyber insurance became “prohibitively expensive” following a data breach at the health insurer earlier this year. Anthem was eventually able to get $100 million in coverage, but only with a $25 million deductible.
A recent PwC report predicted that the global cyber insurance market could grow to $5 billion in annual premiums by 2018 and to at least $7.5 billion by the end of the decade.
“Given the high costs of coverage, the limits imposed, the tight terms and conditions and the restrictions on whether policyholders can claim, many policyholders are questioning whether their policies are delivering real value,” PwC insurance partner Paul Delbridge said in a statement.
“There is also a real possibility that overly onerous terms and conditions could invite regulatory action or litigation against insurers,” Delbridge added.
Ken Westin, senior security analyst at Tripwire, told eSecurity Planet by email that it’s long been a challenge for insurers to identify the scope of potential financial liabilities from a data breach. “Much of this has been due to the lack of data to understand the potential financial impact of a breach,” he said. “However, with the rise in high profile breaches, insurers finally have data they need to assess risk, and the results are staggering.”
“Insurers see that the financial risks of a breach to a company go far beyond initial clean up and identity theft protection for customers affected,” Westin added. “As customers, banks and even the government file lawsuits against breached companies, the financial impact of a breach is skyrocketing.”
As a result, Westin said, the higher premiums and limits on liability reflect actual losses by insurers following breaches. “Companies that have been seeking to offset their risk by focusing on investment in insurance will be increasingly better off investing some of those funds into better cyber security initiatives, particularly around controls designed to detect data breaches in progress,” he said.
“We know that eventually prevention will fail and companies that invest in the ability to detect and quickly remediate any attacks will be in a better position to block attackers before major damage occurs,” Westin added.