Jim Throneburg invented Thorlos socks in 1980 and set out to build a brand worthy of the slogan, “caretakers of the world’s feet.”
His company, Thorlo Inc., recently found out that it’s also in the business of taking care of customer data. In January, the Statesville, North Carolina-based business discovered hackers had been intercepting information on the Web after a customer reported a fraudulent credit-card charge.
“It was quite shocking to us that our little company got on the radar screen of people like this,” said J. Lynn Thorneburg, the owner’s son and Thorlo’s general counsel, whose last name is spelled differently from his father’s.
Smaller companies are learning that, as more data is shared online, they, too, can be targets for the kinds of attacks that larger firms endure. American International Group Inc. (AIG) and Travelers Cos. (TRV) are among insurers tailoring cybersecurity products to those customers.
Small and mid-size companies are “where we’re going to see some of the most aggressive growth in the next couple of years, because it’s been a part of the market that was ignored,” said Bob Parisi, network security and privacy practice leader at Marsh Inc., the insurance brokerage of Marsh & McLennan Cos.
Insurers have been selling cyber protection for more than a decade to help clients shoulder costs from data breaches, computer viruses and other types of electronic fraud. The policies, underwritten by companies including Ace Ltd. (ACE), Chubb Corp. (CB) and CNA Financial Corp. (CNA), typically cover liability from hacking and provide technical support. They can also defray costs of complying with laws that require companies to notify customers when private information has been compromised.
Cyber risks have gained renewed national attention after revelations about a breach of a U.S. Federal Reserve website, intrusions at the New York Times attributed to Chinese hackers and a wave of so-called denial-of-service attacks on the biggest U.S. banks and payment networks. Microsoft Corp. and Facebook Inc. have been targeted by malicious software.
Hackers temporarily shut down computer networks today at South Korean broadcasters and banks in the biggest cyberattack on the nation in two years, prompting the government to investigate possible links with North Korea.
Awareness about computer crime and more-affordable policies are leading smaller businesses to view cyber insurance as essential, Marsh said in a report this month. The number of clients buying the coverage climbed by 33 percent last year from 2011, the broker’s data show. Service businesses including accounting and law firms led the gains.
Policy sales still trail other lines of commercial coverage and probably were $250 million to $350 million last year, Parisi said.
AIG’s cyber-coverage premiums climbed by more than 20 percent last year, according to Tracie Grella, the insurer’s global head of professional liability for financial lines. Her team is working to expand sales to smaller firms.
“That’s where the opportunity is,” Grella said. “It’s a bigger universe” than the large accounts that were earlier adopters of the coverage.
Travelers, the only property insurer in the Dow Jones Industrial Average (INDU), introduced cyber-insurance coverage focused on small businesses in January after seeing a gain in demand from customers and agents, said Tim Francis, the New York-based company’s enterprise cyber-insurance lead.
Smaller businesses used to have a mentality that “nobody’s going to even bother to hack into my business, they’re after bigger fish,” he said. “That really isn’t the case,” he said. “There are bad guys out there that are looking to get information in the easiest way possible.”
Hackers installed a file on the system of David Handmaker’s Rancho Dominguez, California-based online print shop, Next Day Flyers, exposing clients’ names, addresses and credit-card numbers for almost two weeks last year. After discovering the breach, he had to notify customers who had ordered from his website.
“We’re just much, much more aware of the fact that being a small company” makes us more of a target, he said. Larger businesses have “more resources, and so I think their security practices are maybe a little more evolved.”
Expenses for a data breach can add up, according to Thorlo’s Thorneburg. The sock company went through a $50,000 limit on its cyber-insurance policy as it spent to notify customers and regulators. It also had to pay employees to stuff envelopes for a mailing to affected people.
The cost of compliance was a “bitter pill,” he said in a phone interview. “The legal fees are substantial.”
Among companies with less than $10 million in annual revenue, data breaches have become common, according to a survey sponsored by Hartford Steam Boiler, a unit of Germany’s Munich Re. The results released this month showed 55 percent of the more than 1,200 respondents had experienced loss or theft of data. Most breaches were caused by employee or contractor mistakes, the results show.
“Hacking gets a lot of the attention, but old-school breaches are very prevalent as well,” Eric Cernak, a vice president at Hartford Steam Boiler, said in an interview. Claims can involve paper records stolen from trash bins and missing laptops, he said.
Selling cyber policies to small and mid-size businesses may help insurers diversify their risk, as well as boost sales, said Marsh’s Parisi.
“It’s probably not the best thing in the world to have your book entirely comprised of the top 100 retailers and the top 10 banks,” said Parisi, who helped pioneer cyber coverage at AIG, before joining Marsh. “You’re sitting on top of a lot of potentially catastrophic losses.”
To contact the editor responsible for this story: Dan Kraut at firstname.lastname@example.org