The threat of cyber hacking, underscored by the credit card breach at Target, is now so great that US businesses are rushing to buy insurance coverage against the expense of being hacked, or losing sensitive customer information.
One in three companies now has insurance to specifically protect against such losses. Last year, cyber insurance polices sold to retailers, hospitals, banks, and other businesses jumped 20 percent, according to Marsh LLC, a New York insurance brokerage firm that tracks the market.
Ultimately, the costs of these policies are picked up by consumers.
A decade since it was first introduced, cyber insurance has graduated from a splurge to a necessity propelled by a series of high-profile data breaches that have cost companies many millions of dollars.
South Shore Hospital purchased its first cyber insurance policy shortly after a data breach put the names, Social Security numbers, and health histories of its 800,000 patients at risk in 2010. The policy didn’t cover South Shore’s costs in that incident — including a $750,000 state settlement for privacy violations — but the Weymouth hospital’s executives decided they needed to be better prepared for the next one.
‘Cyber risk and cyber insurance has really got the attention of the board room these days. It’s become less a discretionary purchase.’
“Who would have thought about cyber insurance?” said Sarah Darcy, a spokeswoman for the hospital. “It’s such a new coverage to have to have.”
Target’s disclosure recently that hackers had stolen the debit and credit cards of 40 million customers and the PIN numbers, e-mails, and addresses of 70 million people has prompted even greater interest in cyber insurance, industry specialists said. These policies cover the costs of a data loss, from hiring investigators to find the source of the breach to providing credit monitoring for customers to enlisting public relations experts to help salvage the company’s reputation.
The Boston insurer Liberty Mutual, which has been selling primary policies for data breaches since 2011, said the Target data theft prompted executives who were debating whether to buy coverage to make the commitment and sign policies, said Oliver Brew, vice president of privacy and technology underwriting.
Liberty Mutual’s sales of these policies have jumped 30 percent from last year.
“It’s a huge growth potential,” Brew said of the cyber insurance market. “It’s an emerging risk.”
Several years ago, business executives were more focused on buying insurance to cover losses if a fire destroyed their manufacturing plant or thieves broke into an office and stole computer equipment. But increasingly, companies find that the information they have on those computers, from customer health records to credit card data, is just as valuable and could be just as costly to the bottom line if lost.
When hackers broke into TJX Cos., the owner of TJ Maxx and Marshalls, and stole about 46 million customer credit and debit card numbers, the Framingham company estimated the breach would cost it at least $180 million. The breach of Sony Corp.’s video game online network in 2011 led to the theft of names, addresses, and credit card data belonging to about 100 million users. The hit to Sony: an estimated $171 million.
The average cost of a data theft in 2012 was $188 per customer account, according to a recent study by the Ponemon Institute, a Michigan-based independent research center focused on privacy and information security. While the mega-breaches tend to grab headlines, more common data losses involve fewer than 100,000 customer records. But even these smaller breaches can be costly, averaging $5.4 million in 2012.
“Cyber risk and cyber insurance has really got the attention of the board room these days,” said Bob Parisi, a managing director for Marsh LLC. “It’s become less a discretionary purchase.”
At the same time, insurance companies are starting to specifically exclude electronic data losses from traditional corporate policies, forcing businesses to buy additional coverage.
Since October, the Chubb Group of New Jerseyhas excluded privacy and data breaches from its standard insurance for directors and officers of health care companies.
For Partners HealthCare, which operates the state’s largest hospital and physician network and handles vast amounts of sensitive information, it made sense to buy separate cyber insurance coverage, instead of relying on an umbrella policy, said Tim Murray, the company’s director of risk management. Along with health care records, Partners accepts $130 million a year in credit card payments.
Partners bought the policy in 2007 and made a claim two years after an employee left the records of 192 Massachusetts General Hospital patients on an MBTA train. The hospital paid a $1 million fine to the US Department of Health and Human Services, which was covered by the cyber insurance.
“It was effective,” Murray said.
Still, businesses should be aware of the type and extent of the coverage of the cyber insurance they’re buying, said Doug Meal, a partner with Ropes & Gray LLP who represented TJX and is working with Target. Many policies may not cover all the risks a company faces.
For example, companies such as Visa and Mastercard, which have to reissue compromised credit cards, usually sue the business victimized by the breach for their card replacement costs. Some insurance policies won’t cover that expense, Meal said.
“This is a very, very new area,” Meal said. “The liability in the area and the risks in the area are a bit of a moving target.”