JPMorgan’s Data Breach Reveals Growth Market for InsurersNoah Buhayar, Sarah Jones and Zachary Tracer
Insurers flush with capital are rushing to grab part of an expanding cyber coverage market that’s been spurred on by high-profile hackings at JPMorgan Chase & Co. and Home Depot Inc.
Sales are set to double this year from about $1 billion in 2013, according to Bob Parisi, head of the network security and privacy practice at Marsh, the insurance brokerage arm of Marsh & McLennan Cos. The policies can protect companies against lost revenue, lawsuits or even damage to their reputation or brand.
“There is a lot of capital looking to find a home,” said Rick Welsh, head of cyber coverage at Aegis London, which sells policies through Lloyd’s of London, the world’s oldest insurance market. “They now see cyber insurance as a once-in-a generation opportunity that is set for growth.”
Demand for coverage has accelerated after some of the largest companies in the U.S. revealed that they’d fallen victim to cyber hackers. JPMorgan last week outlined the scope of a previously disclosed data breach, revealing that 76 million households and 7 million small businesses had been affected. Home Depot said in September that a breach put about 56 million payment cards at risk.
The number of cyber security incidents globally has soared 48 percent to 42.8 million this year, according to a PricewaterhouseCoopers LLP survey. The average loss for a large company rose to $5.9 million from $3.9 million in 2013.
The prevalence of attacks, even at banks with some of the most sophisticated network security, means more work needs to be done to mitigate cyber risk, said Paul Tiao, a partner at Hunton & Williams LLP and former adviser to the director of the Federal Bureau of Investigation.
“This is one of the biggest national-security challenges that we have,” Tiao said today during a panel discussion sponsored by the Financial Services Roundtable in Washington. “We have to work together.”
Carriers including American International Group Inc., Travelers Cos., XL Group Plc and Lloyd’s insurers like Aegis and Brit Plc are underwriting policies. Competition helped keep prices flat, even as some claims climb into the tens of millions of dollars, said Marsh’s Parisi.
Insurers “wouldn’t be chasing after this risk if they didn’t think they could write it profitably,” he said.
U.S. property-casualty insurers accumulated a record surplus after gains on investment portfolios and two years of calm hurricane seasons. That’s heightened their appetite to add cyber-insurance customers, especially among the small-and medium-sized businesses that hadn’t previously purchased the coverage.
“They are equally aware of their own vulnerabilities,” said Michael Tanenbaum, senior vice president of professional risk at Ace Ltd. The insurer has seen the number of cyber policies it sells to those businesses rise 60 percent annually for almost four years, he said.
Welsh and Ben Maidment, class underwriter of cyber and privacy risk at Brit, said the JPMorgan and Home Depot breaches alerted more executives to the risks. Target Corp.’s board ousted Chief Executive Officer Gregg Steinhafel in May in the wake of a hacker attack that compromised the personal data of millions of shoppers.
“We have barely scratched the surface,” Maidment said. “There is growth potential, so naturally more capital is being put to work.”
As sales have increased, insurers have added staff and services. Travelers hired former employees of the FBI to help its clients manage risk. AIG and Ace also provide advice on security. Tom Ridge, the first U.S. homeland security chief under President George W. Bush, teamed up with Lloyds of London to offer cyber insurance.
AIG has been offering the coverage since 1999, said Tracie Grella, the New York-based insurer’s global head of professional liability. Sales have increased about 30 percent annually for the past couple years, and are on track to jump about that much in 2014, she said.
She said many of the claims AIG receives are tied to human error, such as lost laptop computers, rather than organized attacks.
“The hackers are very good, and there are sophisticated attacks out there, but attacks are really happening because of human error,” she said. “It’s really about the human element.”