Cyber cover goes where no policy has gone before

Cyber risks are now seen to be as tangible as physical threats to a company’s assets

Thinking over why his clients have bought cyber insurance, Seán Burke of Galway company Burke Insurances lists the "fear of the bad PR following a hack", as well as the "cost of dealing with the Data Protection Commissioner" and the "cost of sending out a few thousand letters to affected clients" as being prime motivators.

However, when asked whether any of his clients would like to explain their reasons further themselves, he correctly predicts than none want to discuss the matter.

“It’d be almost a challenge to a hacker to take them on knowing they had the cover,” said Burke, “it’s almost like letting people know you had a kidnap insurance policy.”

Still a new factor in the Irish insurance market, cyber insurance has become more prominent over the past year, in particular as the financial burden of online downtime and phenomenally costly data leakage incidents from LoyaltyBuild to Target become more noticeable. "We have cyber insurance and the rationale as to why we have it is simply to do business," Pat Larkin, chief executive with information security company Ward Solutions, told The Irish Times.

READ MORE

Requirements

While “not explicitly” mentioned in tenders or new contracts, the requirements involved in taking on security responsibilities for a client in high- risk areas (in data-leakage terms) such as healthcare, financial services, telecommunications and online retail, “effectively mean” it’s something the company “has to have” to operate.

According to George Anderson, director at US-based security company, Webroot, "while cyber insurance may help minimise the financial impact of a potential attack, the resulting reputational loss can have much more severe consequences".

Louise Kidd, Irish financial lines manager for AIG – the nation's largest provider of cyber insurance, which reported a 30 per cent increase in sales of its CyberEdge product earlier this year – said the core reason this type of insurance was needed was that "professional indemnity policy is unlikely to indemnify" companies against the results of a security, data or systems catastrophe.

Exposure to regulatory fines, “damages and litigation expenses associated with defending claims from third parties” as well as diagnosing where the breach came from, reconfiguring associated networks and productivity losses, are all costs that lead companies towards investing in cover, she added.

Kidd says the threat represented by cyber risks is now as tangible as physical threats to a company’s assets and has serious knock-on effects.

She also warns that future legislation is likely to mean “the financial and operational effects of a data breach will become more onerous for organisations that have suffered, or contributed to, a breach”.

Other major insurers such as Aviva have yet to cover the cyber area. But this is perhaps indicative of the slow movement of the overall market in Europe thus far. While earlier this year, PwC's cyber-security director, Daljitt Barn noted "cyber insurance is the fastest-growing specialty line of insurance ever", the disparity between levels of cover in the US, where the industry is valued at €1 billion annually, and the EU, which is worth €60 million to €160 million a year, is startling.

Burke says in the Irish market “the problem is that there are not enough providers in the market and so the insurance can be relatively expensive for a small company or operation”.

Limits

Typically, he said this will man that premiums will “start at €1,500 and it increases from there depending on the limits you choose to cover yourself” as well as the size and turnover of the business involved.

“We have some clients paying us upward of €40,000 on this type of cover, but this to a degree reflects the large size of the risk and the particular business they are in and cover chosen,” said Burke.

Crisis management

Polices that cover data breaches, notification of clients, network interruption, extortion and crisis management assistance, alongside all manner of network security issues, will also generally entail a policy excess likely to “start at €5,000”.

“So there is pain for any buyer before any insurance ever kicks in, and in larger companies that €5,000 could be €50,000,” said Burke, who hopes “as time goes on and more providers enter the marketplace, the cover cost will decrease and more commoditised products will come on stream for business”.