Cyber risk insurers are doing a brisk business these days. Reports of data breaches abound, and risk managers are understandably looking to offload some of the risk through insurance. As a result, insurers are issuing new cyber risk policies at a record pace, and increasing limits on existing policies. The latest numbers show:

• The number of businesses purchasing cyber risk insurance coverage jumped 21% in 2013. The data-heavy financial services sector experienced the largest increase.[1]
• The dollar limits of coverage purchased by corporate clients with over $1 billion in revenue increased 10%, averaging $28.2 million in 2013.[2]
• Some larger corporations are purchasing $100 to $200 million in cyber coverage.[3]

As the insurance marketplace adjusts to the number and variety of data breaches, the response will continue and evolve. Expect more policies, higher limits, and expanded coverage options.

The “Target Effect”

Corporate risk managers stepped up purchases of cyber insurance before the cyber attacks on Target, Home Depot, and others, but these highly publicized incidents only accelerate the trend.  Some observers have dubbed the market impact “the Target effect.”

Since December 2013, Target’s data breach has reportedly cost the company more than $400 million out-of-pocket, well in excess of Target’s reported $100 million in cyber coverage. And the out-of-pocket loss does not include hundreds of millions of dollars of lost sales and a decline in Target’s market capitalization of over $2.0 billion in the first half of 2014.  No one wants to be the next Target or Home Depot.  Risk managers are increasing the limits of their current coverage -- and pressing for better coverage.

Traditional Cyber Risk Coverage

The vast majority of today’s cyber risk policies focus on data breaches or denial of access attacks.  The coverage and premiums vary considerably, but traditional policies will usually cover some subset of the following costs associated with data breaches:

• Customer notification
• Credit monitoring
• Call centers
• Public relations
• Forensic investigation
• Remediation efforts
• Regulatory actions
• Crisis management
• Defense and indemnity

Some policies go even further and include coverage for lost profits or cyber extortion.

The damage inflicted by a data breach can quickly overwhelm coverage limits and make an enduring negative impact on the brand.  Risk managers must play catch-up with both the financial scope of potential damage and the ever-changing nature of the threat.  Companies need coverage with significant limits.   But, as savvy risk managers know, they must also continue to assess -- and attempt to insure against -- the evolving nature of cyber attacks.  

The Evolving Risk

Companies with large brick-and-mortar exposures have begun to worry about cyber attacks that result in catastrophic physical loss. Neither traditional cyber policies, nor traditional property insurance policies with cyber exclusions will cover this kind of loss.[4]  Imagine a cyber attack that causes an equipment breakdown at a power plant, an explosion in a factory, or a sprinkler loss in a pharmaceutical plant. The uninsured damage could be significant.  The risk of cyber catastrophe is easy to ignore primarily because it has not happened yet.  Before leaving office last year, U.S. Secretary of Defense Leon Panetta warned that a cyber attack on American infrastructure “could be as destructive as the terrorist attack on 9/11.”

Reporting on the energy sector, Willis recently concluded that “a major energy catastrophe—on the same scale as Piper Alpha, Phillips Pasadena, or Deepwater Horizon—could indeed be caused by a cyber attack (whether politically motivated or not), and . . . coverage for such a loss is generally not currently provided by the Energy insurance markets.”

The technology to carry out large-scale cyber attacks on infrastructure is here – and has been since at least 2010.

In 2010, the Stuxnet computer virus took over process control equipment in Iran’s Natanz nuclear plant and damaged hundreds of Iranian centrifuges. The sopisticated virus evaded system controls and went undetected for months. In 2012, the Shamoon virus invaded Aramco in Saudi Arabia and RasGas in Qatar in what Secretary Panetta called “probably the most destructive attack that the private sector has seen to date.”  The virus ruined tens of thousands of computer workstations and crashed e-mail systems.

The New Cyber Risk Policies

Brokers are demanding better coverage, knowing that variants of these—or even more destructive— viruses continue to circulate.  Recently, Willis identified cyber attack risk transfer options a “paramount need” of its clients.  Insurers are responding to the clamor with new policies offering coverage for “physical loss” caused by cyber attack. Examples are American International Group Inc.'s recent launch of CyberEdge PC and Marsh’s recent announcement of its Cyber Gap Insurance product. More policies will follow. Initially, some insurers will cover the risk on an Excess or DIC basis by adding new elements of cyber risk as an insured peril. The coverage, of course, will be subject to the conditions and exclusions of the primary property insurance policy.

As insurance companies issue more policies, expect an increase in first-party property claims involving cyber attack. Some claims will undoubtedly involve tens of millions of dollars or more. To the extent that the cyber coverage is provided by a first-party property policy or by an Excess or DIC policy, property claims managers and coverage attorneys will face similar coverage issues in the cyber risk arena. Where the cyber policy language tracks the property policy language, legal precedents governing property insurance policies will guide companies, attorneys, and courts.

Conclusion

Cyber risk is evolving as the abilities of cyber terrorists and government-sponsored cyber attackers grow.  American corporate infrastructure is an attractive target, and so coverage is needed for the risk of physical loss and the resulting loss of income from cyber attacks.  For risk managers, this means finding coverage in your traditional property insurance program or in a new cyber property policy – or potentially putting your company’s entire infrastructure at risk.

[1] Marsh USA.
[2] Marsh USA.
[3] AON.
[4]See, e.g., Metro Brokers v. Transportation Ins. Co., 2013 U.S. Dist. Lexis 184638 (N.D. Ga. Nov. 2013) (all-risk policy with exclusions for loss caused by malicious code or system penetration).