AIG Says Companies Massively Under-Insured for Cyber Risk

Peter Hancock, the chief executive officer of American International Group Inc. (AIG)’s property-casualty unit, says businesses have too little coverage to guard against costs tied to cyber attacks and data breaches.

“It’s a very real risk, and one that’s massively under-insured,” Hancock, 55, said today at a conference in New York held by National Underwriter. “Without greater awareness, there’s not much customer demand. Without much customer demand, the industry’s capacity is rather small. And without the large capacity, the customers say, ‘Why buy it?’”

Zurich Insurance Group AG (ZURN) and New York-based AIG are among carriers offering protection that helps pay for damage caused by hacking as well as fines and repair costs. Attacks against U.S. banks have knocked their websites offline and prevented customer access, and the Associated Press’s Twitter account was hacked this year to falsely report an explosion near the White House, temporarily triggering a plunge in U.S. stocks.

Michael Kerner, who oversees property-casualty coverage at Zurich, Switzerland’s largest insurer, said last month that computer threats are escalating and may soon cause “dramatic” disruptions for businesses and individuals. The AP attack was carried out by the Syrian Electronic Army, a group that supports the government of President Bashar al-Assad.

Businesses contend with a variety of state privacy laws that outline how they must respond when customer data is compromised, Hancock said.

“It’s really important for companies to be aware of their obligations when there’s a breach,” he said. “A lot of companies we encounter have absolutely no clue. They know they’ve been breached but they don’t know what the right response is.”

To contact the reporters on this story: Noah Buhayar in New York at; Alexandria Baca in New York at

To contact the editor responsible for this story: Dan Kraut at

Press spacebar to pause and continue. Press esc to stop.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.