Cyber risks appear to be on the rise, and the number of companies purchasing cyber insurance increased 21 percent in 2013 compared to 2012, according to “Interest in Cyber Insurance Continues to Climb,” a Marsh Risk Management Research Briefing.
Marsh found that financial institutions were the largest group by industry vertical, representing 29 percent of buyers, and that average limits purchased for cyber risk rose to $11.5 million for all industries and company sizes in 2013, an increase from the average of $11.3 million in 2012.
“So far in 2014, some 311 data breach events have been publicly disclosed as of May 27, with 8.5 million records exposed. Yet despite the large number of reported breaches, the actual number of breaches and exposed records is without a doubt much higher as many, if not most, attacks go unreported,” said Independent Insurance Agents & Brokers of America Inc. in “Cyber Risks: The Growing Threat,” a recent white paper.
Cyber risks now are a top 10 business risk, according to a ranking by Allianz, but neither commercial general liability nor standard business owner’s policies offers coverage after a cyber-attack. Of the 614 breaches in 2013, 269, 43.8 percent, affected Medical/Healthcare companies and Banking/Credit/Financial accounted for 23, or 3.7 percent, according to the Identity Theft Resource Center, as quoted by I.I.I.
“This raises the important question of whether and how adequately businesses are protected by insurance coverage in the event they suffer a loss due to a cyber attack,” I.I.I. said.
According to the I.I.I., stand-alone cyber risk policies typically include:
- Business interruption. Covers loss of business income resulting from a cyber attack on a company’s network that limits its ability to conduct business.
- Criminal rewards. Covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of those who have hacked a computer system.
- Crisis management. Covers the cost of retaining public relations assistance and advertising to rebuild a company’s reputation.
- Cyber extortion. Covers the of settling an extortion threat against a network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
- Data breach. Covers the cost and legal liability resulting from a data breach, such complying with regulatory requirements or addressing customer concerns.
- Identity theft. Covers the cost of creating an identity theft call center in the event customer or employee personal information is stolen.
- Liability. Covers defense costs, settlements, judgments and punitive damages incurred as a result of a data theft, transmission of a computer virus, failure of its computer security system and allegations of copyright or trademark infringement, libel, slander and defamation.
Information loss accounts for 43 percent of the loss costs, and business disruption or lost productivity account for 36 percent of external costs due to cyber crime. Revenue loss accounted for 17 percent and equipment damages, 4 percent.
