Julia Roberts’s smile is insured. So are Heidi Klum’s legs, Daniel Craig’s body and Jennifer Lopez’s derrière. But the fastest-growing niche in the industry today is cyberinsurance.
Specialized policies to protect against online attacks are offered by about 50 carriers, including big names like the American International Group, Chubb and Ace. As data breaches have become a reality of the business world, more companies are buying policies; demand increased 21 percent last year from 2012, according to Marsh, a risk management company and insurance broker.
Yet companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses.
The main problem is quantifying losses from attacks, because they are often intangible — lost sales or damage to a brand name, like the public relations disaster Target suffered after the breach of its point-of-sale systems late last year.
“The losses that are more tangible and more readily quantifiable are the ones you’ll be able to insure against more easily,” said Ed Powers, who heads the online risk services practice at Deloitte & Touche, the accounting firm. “The ones that are less tangible and less quantifiable are more challenging, but those are often the bigger ones.”
At the same time, underwriters lack the data they need to figure out how likely it is that an attack will occur, or what it will cost. This is because most breaches go unnoticed or are never publicly reported. Information on past attacks is not particularly helpful because attackers are always getting more advanced, and the risk is increasing as companies put their most valuable data online.
Graeme Newman, a director at CFC Underwriting, said that in underwriting property, insurance companies can draw on reams of data spanning hundreds of years.
“They could tell you exactly the chance of an office building burning down in Midtown Manhattan, but there isn’t anyone on this planet who could tell you the probability of a large U.S. retailer being hacked tomorrow,” Mr. Newman said.
“Statistics from five years ago are almost irrelevant today,” he added.
Total cyberinsurance premiums paid last year reached $1.3 billion, according to Betterley Risk Consultants, a jump from the $1 billion paid in 2012. The bulk of that involves smaller policies issued to small to midsize businesses.
The most coverage a company can hope to acquire, using multiple underwriters, is about $300 million, experts say, significantly less than the billions of dollars’ worth of coverage available in property insurance.
The problems companies face in getting insurance are illustrated by the situation Target faced last year.
At the time of its breach, the retailer had cobbled together $100 million in coverage, on top of a $10 million deductible, according to regulatory filings. The coverage, which came from multiple carriers, will barely compensate for the $1 billion in losses some analysts are forecasting. Since the breach was discovered, the company has incurred $88 million in breach-related expenses, its filings say, and it expects insurance to cover $52 million of that.
Cyberinsurance has existed since the 1990s, but companies were forced to consider coverage when a New York court ruled in February that Sony’s general liability policy would not cover the $2 billion in costs the company incurred from the huge data breach in 2011 involving the online network for its PlayStation game console.
Cyberinsurance policies vary widely. The most comprehensive ones reimburse for immediate cleanup costs like hiring a forensics firm, notifying customers, setting up call centers and paying for free credit monitoring. Some also cover legal fees and the cost of hiring a crisis management firm.
But those costs can be only the tip of the iceberg, experts say.
For example, after the breach at Target, its profit was cut nearly in half — down 46 percent over the same period the year before — in large part because the breach scared away its customers. The loss to the brand is essentially unmeasurable.
“There is no real way to put empirical data on what the value of a brand is post-breach, during a breach and prior to a breach,” said Michael Tanenbaum, senior vice president of ACE Professional Risk, part of Ace. “We are about science and math, and you just can’t get your arms around it. And two people can’t always agree on whether a brand has been diminished.”
To regain consumer confidence, Target announced that it would speed the adoption of more secure chip-and-PIN technology in its stores and for its branded debit and credit cards, a step it estimates will cost $100 million. That expense is not covered by its insurance policies.
Policies also exclude some major forms of breach, like state-sponsored online espionage attacks, which tripled last year, according to a recent Verizon report.
Some experts say insurers keep policies narrow simply because there are too many unknowns. In most cases, insurers use questionnaires to determine a client’s risk of a breach. Rarely, Mr. Olcott said, they will perform a penetration test, in which paid hackers try to break into a company’s network to identify its weak spots.
“They won’t do the due diligence you might expect,” he said.
More data about breaches has been forced into the open because of the Health Insurance Portability and Accountability Act, or Hipaa, of 1996, which established strict security and privacy standards for patient data and became a model for many state breach notification laws.
Insurers say those laws have forced more companies to step forward when data is lost, creating more actuarial data for underwriters to draw upon. Last year, the Ponemon Institute, a nonprofit that tracks breaches, estimated that the cost of a data breach was $188 per compromised record, with 28,765 records breached on average in the year.
The market continues to evolve. Recently, A.I.G. became the first insurer to expand its cybercoverage to include physical risks, like property damage and bodily injury. If an attack on an oil company resulted in an explosion, damage from that could now be covered, said Tracie Grella, global head of professional liability at A.I.G.
Another wrinkle in the market is the uncertainty over how to assess the risk of cloud computing services, which increasingly are the repository for all sorts of data maintained by businesses.
A big question is whether the aggregation of data from many companies in a cloud service like Amazon’s is safer or more vulnerable. One breach could mean catastrophic loss for many companies. But some businesses might be better off outsourcing their data to a large cloud provider like Amazon that has greater resources to protect it, said Ty Sagalow, a former chief operating officer at A.I.G. who is now a president of an insurance consulting group.
Whatever the complexities, cyberinsurance is now big business.
“Insurers can’t afford not to be in this thing,” Mr. Sagalow said.