In-brief: cyber insurance premiums are jumping following a string of large and high-profile breaches, Reuters reports. But that doesn’t mean insurers are souring on covering online risk.
Jim Finkle over at Reuters has a story today about the increase in cyber security insurance rates following a string of high-profile attacks on retail organizations and healthcare firms.
From the article:
Insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that…
The price of cyber coverage – which helps cover costs like forensic investigations, credit monitoring, legal fees and settlements – varies widely, depending on the strength of a company’s security. But the overall trend is sharply up.
That shouldn’t come as a surprise. Insurance rates can be expected to broadly track to risk. The more attacks and the more likely those attacks are to be successful (that is: generate losses) the, the more expensive coverage to make organizations whole from an incident should become.
Experts have long predicted that better data would allow insurance companies to do a better job pricing cyber risk. As insurance companies divide “cyber risk” into broad categories of first- and third-party cyber risk, actuaries are getting better at defining online risks and assigning financial value to them.
[Read Security Ledger coverage of cyber insurance here.]
As those actuarial calculations become more accurate, insurance companies are able to accurately attach pricing (in the form of premiums and deductibles) to specific risks and mitigations. That, in turn, will focus investments in areas that are most likely to reduce risk.
Despite the risks, insurance companies are ecstatic about the upside opportunity of insuring against cyber incidents. “Insurers love it. This is the largest new category of insurance in 20 years,” said Nicholas Reuhs, an attorney with the firm ICE Miller LLP, speaking at the ISSA International Conference in Chicago on Monday.
Still, insurance companies need to tread carefully: writing policies so as not to over expose themselves by covering the down side of massive cyber incidents. Typically, this is accomplished by increasing premiums, bigger deductibles and “exclusions” that rule out reimbursement for companies under certain circumstances or that cap payouts.
According to Reuters, which reviewed data from the firm Marsh & McLennan, that’s just what insurance companies are doing. Average rates for retailers, for example, rose 32 percent in the first half of this year. Insurers are also capping coverage at $100 million for what are described as “risky customers” and setting high deductible amounts that customers must pay out of pocket before insurance kicks in.