Skip to main content

Originally published Sunday, February 15, 2015 at 8:01 PM

  • Share:
  • Comments
  • Print

Spending on cyberattack insurance soars as hacks become more common

Highly publicized breaches into computer systems of big companies have turned the spotlight onto cyberattack insurance. “Everyone’s swamped with new applications,” said one insurance provider.

Los Angeles Times


Hackers are wreaking havoc on big organizations, but they’re also spurring a new market — cyberattack liability insurance.

Once-complacent businesses, stung by debilitating cyberattacks at Target, JPMorgan Chase and other well-known companies, are on a cyberattack-insurance shopping spree.

“Everyone’s swamped with new applications,” said Nick Economidis, an underwriter at cyberattack-insurance provider Beazley Group.

The hack of health insurer Anthem’s computer system — a breach disclosed recently affecting up to 80 million customers — is bound to create more demand.

Spending on cyberattack insurance nearly doubled in 2014 from 2013, to about $2 billion, according to industry analysts.

Insurance offices are struggling to keep pace. Nearly every insurance agent polled last fall by reinsurer PartnerRe reported growing demand for cyberattack-liability insurance, with 45 percent reporting a “significant” uptick. Beazley said the number of policies in its book rose 150 percent from 2012 to 2013 and 100 percent from 2013 to 2014.

Ty Sagalow, an industry consultant and former chief operating officer for AIG’s EBusiness division, said the growing sense that cyberattacks are no longer unusual events is dialing up the fear factor.

“Think of a massive cyberattack as an intelligent hurricane,” he said. “If it hits a house that doesn’t fall down, it learns why the house didn’t fall and it changes.

“It is a scary thing. ... Scary things sell insurance.”

What’s covered

The insurance policies can cover the long lists of costs and losses, including patching holes in computer networks, locating culprits, notifying affected consumers and battling lawsuits, as well as foregone business and public-relations campaigns.

As the costs of cyberattacks rise, insurers are limiting their maximum payouts and requiring high deductibles, said Karl Pedersen, senior vice president at insurance brokerage and risk adviser Willis.

Target spent $248 million after hackers stole 40 million payment-card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million, leaving the company $158 million in the hole — plus what it paid for cyberattack insurance.

Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit- and debit-card holders. Insurance covered only $15 million.

Sony recently announced a $15 million tab from the hack against Sony Pictures Entertainment a few months ago, but would say only that it received a “substantial portion” back from insurance.

The cyberattack on Anthem, in which Social Security numbers were stolen, will be covered by insurance and result in a “minimal” financial hit, according to financial analysts who follow the company.

Premiums and deductibles vary based on the value of the data at risk, a company’s loss history and the strength of its defenses. Strong cyberdefenses aren’t always a ticket to lower premiums, though, because most breaches stem from more mundane mishaps, such as an employee losing a laptop full of sensitive information.

Until recently, the appeal of cyberattack insurance has been limited mostly to big corporations. But smaller companies are now flooding into the market, industry watchers say, partly driven by mandates from companies with which they do business.

Target’s breach is reported to have been linked to a vulnerability in a computer system used by one of its heating and air-conditioning contractors. To shield themselves from exposure, large companies are requiring contractors, including engineers, architects and others, to buy data-loss coverage.

Colleges have been another big buyer. Marsh & McLennan, a risk-management company and insurance broker, saw a 58 percent surge from 2013 to 2014 in the number of colleges buying cyberattack insurance.

Among the groups sitting out the cyberattack-insurance rush are technology startups short on cash and deep into their work, said Linda Kornfeld, an attorney at Kasowitz Benson Torres & Friedman, who advises companies about cyberattack insurance.

Four weeks for 99 cents of unlimited digital access to The Seattle Times. Try it now!

Also in Business & Technology

News where, when and how you want it

Email Icon

Relive the magic

Relive the magic

Shop for unique souvenirs highlighting great sports moments in Seattle history.



The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Subscriber login ►
The Seattle Times

To keep reading, you need a subscription upgrade.

We hope you have enjoyed your complimentary access. For unlimited access, please upgrade your digital subscription.

Call customer service at 1.800.542.0820 for assistance with your upgrade or questions about your subscriber status.

The Seattle Times

To keep reading, you need a subscription.

We hope you have enjoyed your complimentary access. Subscribe now for unlimited access!

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Activate Subscriber Account ►