Companies Worried About Hackers Turn To Cyber Insurance
STEVE INSKEEP, HOST:
This week brought new revelations about a cyber attack on Premera Blue Cross. The health insurance company based outside Seattle says hackers may have compromised 11 million customer accounts. Attacks like that are prompting some companies to buy cyber insurance, and that business is growing quickly, as we learn from reporter Kaomi Goetz.
KAOMI GOETZ, BYLINE: Steve Hawkins strokes the hair of his four-year-old English Labrador.
STEVE HAWKINS: Sammy, Sammy. Good girl, good girl. Who's my good girl?
GOETZ: Sammy is more than a pet. She's trained to sniff out bedbugs for Hawkins' exterminator business called 5 Star Environments in Manhattan. It's one way to get an edge against competitors who don't use dogs. Another is being able to assure clients their information is safe. Hawkins learned the importance of data protection two years ago. That's when hackers got into his computer and stole his customers' credit card information. He immediately beefed up his firewalls to prevent it from happening again, but still, he worries.
HAWKINS: A lot of what's going on in the news makes you think about the smaller companies like myself - protecting myself.
GOETZ: One way to do that is having cyber insurance. Like most companies, Hawkins already has general liability coverage for things like workers comp and property liability, but it doesn't cover hacker attacks. Cyber insurance pays for privacy attorneys to sift through state and federal data breach laws. There also might be regulatory fines and costs for setting up call centers, credit monitoring and help with PR. But bundling that risk into a monthly premium isn't an exact science. John Farley is vice president of insurance brokerage HUB International. He says underwriters are used to large swaths of data.
JOHN FARLEY: It's much different in cyber because in cyber, there's really not a lot of claims data out there. It's relatively new, and it's not readily shared.
GOETZ: He says putting a price on loss of reputation, like the recent hack on Sony Pictures, is harder to quantify. Yet, that isn't stopping insurers from writing policies or companies from buying them. Insurance industry researcher Advisen says the number of premiums paid for cyber insurance was $2.1 billion last year. That's up from 1.8 billion in 2013. Farley says cyber insurance is booming.
FARLEY: If you went back 10 years ago and asked the insurance buyer - the risk manager - at corporation, you know, what keeps you up at night? They might answer that question and say, you know, being involved in a mass tort or a big product recall where they're getting sued. Those concerns are still very valid today. But if you ask that same question - what keeps you up at night? - cyber rescue is always at the top.
GOETZ: But because they are so new, cyber policies can be tricky. Ed Stroz is a former FBI agent who founded cyber security firm Stroz Friedberg in Manhattan. He says companies have to be realistic.
ED STROZ: You have to look at the terms of the policy, the kind of insurance products that are out there and how well that aligns with the kind of coverage your client seeks to get.
GOETZ: If companies aren't careful, their cyber insurance policy might surprise them when they need it most. Retailer Target suffered a massive data breach in late 2013. About 100 million customer accounts were compromised. That shook investor and customer confidence. The cost of breach reached $148 million by the second quarter, but its cyber insurance policy paid out only 38 million. One reason payouts sometimes fall short is an insurer might decide the company was negligent on security, even for something as simple as failing to regularly change security passwords.
HAWKINS: Come on. Yeah, that's my girl. Give me a kiss.
GOETZ: Steve Hawkins knows cyber insurance isn't a hundred percent guarantee, but he's willing to do whatever he can.
HAWKINS: Listen, we're a small company, but we are a target. There's no question.
GOETZ: And he's trying to educate other small business owners to the risk because he knows hackers are always one step ahead. For NPR News, I'm Kaomi Goetz in New York.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.