Cyberattack Insurance a Challenge for Business

June 8, 2014


Julia Roberts’s smile is insured. So are Heidi Klum’s legs, Daniel Craig’s body and Jennifer Lopez’s derrière. But the fastest-growing niche in the industry today is cyberinsurance.

Specialized policies to protect against online attacks are offered by about 50 carriers, including big names like the American International Group, Chubb and Ace. As data breaches have become a reality of the business world, more companies are buying policies; demand increased 21 percent last year from 2012, according to Marsh, a risk management company and insurance broker.

Yet companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses.

The main problem is quantifying losses from attacks, because they are often intangible — lost sales or damage to a brand name, like the public relations disaster Target suffered after the breach of its point-of-sale systems late last year.

“The losses that are more tangible and more readily quantifiable are the ones you’ll be able to insure against more easily,” said Ed Powers, who heads the online risk services practice at Deloitte & Touche, the accounting firm. “The ones that are less tangible and less quantifiable are more challenging, but those are often the bigger ones.”

At the same time, underwriters lack the data they need to figure out how likely it is that an attack will occur, or what it will cost. This is because most breaches go unnoticed or are never publicly reported. Information on past attacks is not particularly helpful because attackers are always getting more advanced, and the risk is increasing as companies put their most valuable data online.

Graeme Newman, a director at CFC Underwriting, said that in underwriting property, insurance companies can draw on reams of data spanning hundreds of years.