While it feels like we’ve been talking about Cyber Liability cover for years now, the fact is, in relative terms it’s still new territory for insurers. Appropriate pricing is best determined through solid analysis of a variety of data, and underwriters haven’t yet been able to gather enough history on this type of exposure to do an ideal job of quantifying this risk.
However, there’s no denying that the threat is quite real. As of this writing, Sony Pictures is the latest high-profile victim of a major cyber breach, one from which some are saying it might never recover. In December, the situation for Sony executives—and stockholders—went from bad to worse each day. The real lesson of the Sony incident is that it could happen to any company that doesn’t focus heavily on its cyber security, no matter its size. Which is why it’s concerning that A.M. Best reveals in its Fall 2014 Insurance Industry Survey that 53% of insurer respondents said they currently do not purchase Cyber insurance for their own companies.
That’s right: More than half of the insurers polled by A.M. Best—the bulk of which were primary carriers, and 68% of which were from the property & casualty industry—admit they do not buy Cyber Liability cover. Some 30% of respondents who said they do purchase this coverage maintain $1 million to $5 million in limits; the rest acquired slightly larger amounts.
This statistic is all the more alarming upon considering that 15% of the responding companies admitted to having suffered a data breach or cyber attack, so it’s a good bet that the real percentage is actually higher than that—and more than 37% of those insurance companies that were breached possessed more than $500 million in capital and surplus. The amount of surplus and capital held by this small concentration of large companies (about 92% of the overall pie) is disproportionate to the rest of the industry, and so too is the amount of client data and other sensitive information they hold. These larger, data-rich insurers present a prime target to cyber criminals.
The true security of data stored in the cloud is a point of ongoing debate—and A.M. Best found that nearly three-quarters (73%) of companies with more than $500 million in capital and surplus use the cloud for storage purposes. Respondents using the cloud find value in it for storing client and company information, including e-mails—and the majority of those insurers (72%) have third parties running their cloud storage.
Third parties. That means the keys to unlocking much of the confidential information held by some of the largest insurers in the U.S. aren’t even held internally. Think about that.
It’s hard to ponder what the impact on the P&C insurance industry as a whole would be, if one of its largest companies should ever fall victim to a cyber attack of crippling proportions. And fooling yourself into thinking “that couldn’t happen to us” is the first step to inviting disaster. Just ask the people at Sony.
If criminals with the technological means to do so have a motive to steal information from you, they’ll get it. It’s only a matter of time. Let’s hope that the P&C industry possesses enough foresight to start talking about how it can better protect its own highly valuable assets, lest its executives wake up one day very sorry that they didn’t.