Data breaches can be expensive — just ask Marriott. The hotel group said last November that hackers had been accessing its database since 2014, compromising up to 339m guest records.
Since then it has incurred $100m costs relating to the hack and that is before a potential £99m fine levied under EU rules.
However, the effect has been cushioned by insurance policies, which have paid out $102m to the company.
Cyber cover is one of the fastest growing parts of the insurance industry. High profile data breaches and ransomware attacks — such as the WannaCry and NotPetya attacks in 2017 — have convinced companies they need protection.
“NotPetya was a huge trigger for buying outside the US as [companies] saw what business interruption really looks like,” says Sarah Stephens, the cyber, media and technology practice leader at insurance broker Marsh JLT Specialty.
Cyber insurance dates back to the 1990s when a growing number of ecommerce companies sought to protect themselves from the risk that hackers would take down their websites.
The growth more recently has been led by the US, where data protection regulations and fines for data breaches have convinced companies to buy insurance.
That trend is spreading to Europe where the GDPR data rules that came into force last year are expected to lead to a wave of fines — for example, British Airways has been provisionally fined £183m for a data breach in 2018.
It is unclear whether fines can be covered by insurance under EU law but brokers say that the potential penalties faced by BA and Marriott have raised awareness about the risks involved in data breaches.
The other growth market is small and medium-sized enterprises. Brokers say that penetration is still low but that given their smaller resources these companies are particularly vulnerable to a cyber attack.
“We are seeing more and more take-up, particularly in industries where we see a data breach risk such as retailers, healthcare, anyone dealing with data analytics and companies that work with big, global firms,” says Ms Stephens.
Global cyber insurance market value projection by 2022
Cyber insurance policies pay out to customers that have suffered an attack, much as a normal insurance policy would. But there is often also a service element to the product that provides practical help to customers whose systems have been attacked.
These services can include forensic investigators to probe the causes and offer solutions, public relations experts to deal with reputational damage and even expert negotiators to deal with ransom demands and arrange for their payment, often via bitcoin.
Insurance companies see cyber as a rare opportunity for growth and have rushed into the market. Almost 200 insurers offer cyber cover in the US, while the global market for cyber insurance is expected to grow from about $6bn of premiums a year to $15bn by 2022, according to RBC Capital Markets.
But that growth could carry a high cost for insurance companies.
While there are sophisticated models in place for known risks such as floods and storms, cyber risks are different.
“Cyber modelling is still very much in its infancy,” says Rebecca Bole, head of industry engagement at CyberCube, a cyber modelling specialist. “It is a very different peril to weather-related perils, where the science is documented and well understood. Cyber is a man-made peril, which creates a lot of complexity.”
Insurers and modellers have to grapple with the ever-changing nature of cyber attacks, along with uncertainty over who the perpetrators are, what they want, how much damage they could cause and how quickly the effect of an attack could spread around the globe.
“We know more about [catastrophe risk] than we do about cyber,” Brian Duperreault, chief executive of insurer AIG, said at a recent Financial Times/PwC insurance summit. “The bad guys have a better research and development department than we do.”
He said there was strong demand for cover from AIG customers. “Every client faces cyber [threats] — it is the biggest single global risk we face.”
The possible cost of large scale attacks are eye-watering. CyberCube and Guy Carpenter, an insurance broker, modelled scenarios that could cause big losses for the industry. An extended outage at a large cloud services provider could lead to $14.3bn in payouts, for example, while a widespread theft from an email service provider could result in losses of $19.1bn.
Lloyd’s of London, the insurance market, has also assessed the cost of a large-scale cyber attack. It recently estimated that a single attack on Asian ports in which a computer virus scrambled cargo records could lead to $110bn economic damage — equivalent to half the 2018 global loss from natural catastrophes — with only 8 per cent covered by insurance policies.
“There is a recognition that this is a huge growth area for the insurance industry,” says Ms Bole. “More and more enterprises will be looking for risk transfer.”