Cyber brokers say this is the Year of Home Depot, and 2015 will be the year that cyber insurance prices go up—and become almost unobtainable for some companies handling payment card data.
The largest-ever retail breach of payment cards at the home-improvement chain changed the game, according to Ben Beeson, vice president of cyber security at insurance brokerage Lockton. The five-month attack beginning in April compromised 56 million cards.
“In 2015, some clients will have trouble getting insured, and even those that are deploying encryption of data and tokenization will have fewer options to choose from,” he said.
The newer security measures have become the baseline for coverage in the eyes of many carriers, whereas six months ago it was enough for point-of-sale retailers to be compliant with Payment Card Industry data security standards, he said.
Beeson expects premiums to rise as much as 10 percent, with higher retention levels for POS retailers. Both financial institutions and health care companies have benefited from regulation of their industries requiring better security and won’t face as much “knee-jerking,” Beeson said.
Willis’ Karl Pedersen, senior vice president of cyber and errors and omissions, sees a bigger jump in store for some POS retailers. Events involving data or privacy loss in recent weeks could crimp coverage capacity and propel their prices as much as 40 percent higher, he said.
Other industries could see anywhere from a 2 percent decrease to a 5 percent increase for cyber coverage, while prices for first-time buyers will be “more restrictive,” the broker’s Marketplace Realities report said.
Bob Parisi, cyber product leader at Marsh, expects premiums to rise as much as 5 percent across the board for coverage and “significantly more” for POS retailers.
“Retail has taken it on the chin in 2013, 2014,” he said. Carriers have now seen and paid for substantial losses, and it’s time “to correct their book.”
Before this year, “there was a rush to write as much cyber as you could,” Parisi said of underwriters. “Now, we have to convince them to write the policy.”
Robert Morris, president of Rampart Group Insurance Associates, also believes cyber insurance has reached a tipping point.
The coverage has not only become a must for companies of every stripe, carriers have started to take a harder look at how well-protected the businesses actually are.
Insurers “want to talk directly to the chief technology officers” at companies, he said, especially given the scarcity of actuarial data for this relatively new line of business.
Pricing will depend on the number of records, transactions and clients processed by a business. On the other hand, continued blending with management liability lines such as Directors and Officers or Errors and Omissions should afford “pricing considerations” for buyers, Morris said.
Willis also said in its report that preventable breaches–caused by a failure to encrypt data-storage devices–continue to decrease, while those involving hackers, organized crime and rogue employees are on the rise.
“As a result, claim severity has spiked dramatically, especially in the retail sector,” the broker said.
Lockton concurs, saying that the near-inevitability of breaches has shifted the focus for security in general from prevention to detection and “lockdown” of data.