As costly corporate data breaches pile up, cyber liability insurance market surges

Schnucks South City Market in St. Louis | Courtesy of MBK/Flickr
Schnucks was sacked by a data breach that involved an estimated 2.4 million credit cards. | Courtesy of MBK/Flickr

Schnucks. Jimmy John’s. Dairy Queen.

As the list of retailers in Missouri that have experienced data breaches continues to grow, many companies are seeking insurance coverage for their cyber risk.

Michael Born of the Lockton Companies, a global insurance brokerage headquartered in Kansas City, said that the cyber insurance market has grown for both large and small businesses.

“Even if you don’t have the data volume (of) Target and Home Depot, and even if you don’t have sensitive health information, all businesses have confidential information of some kinds, like information of their customers, employees,” said Born, vice president of Lockton’s global technology and privacy practice. “Which can lead to very expensive losses if those records are exposed.”

Schnucks, the St. Louis-based grocer, filed a $2.1 million settlement this summer over a data leak in which an estimated 2.4 million credit cards were compromised. In September, sandwich restaurant Jimmy John’s reported a breach that hit 215 locations, including 14 in Missouri. In October, ice cream and fast food chain Dairy Queen said it had fallen prey to a hack affecting 395 stores, including 17 in Missouri, according to the Associated Press.

The number of data breaches in the U.S. reached 614 last year, up 37 percent from 2012. The cyber insurance market has grown in response to the breaches. In 2013, the total volume of the premiums for cyber insurance in the U.S. amounted to $1.3 billion. That number is expected to reach $2 billion this year, according to Brian Thornton, president of ProWriters, a Pennsylvania-based insurance company that offers cyber liability coverage nationwide.

Brian Thornton, president of ProWriters.|Courtesy of ProWriters
Brian Thornton | Courtesy of ProWriters

“The industry itself is certainly growing,” Thornton said. “This year will be the biggest growth.”

In April, Columbia Insurance Group rolled out a data compromise policy to better help its clients mitigate the increasing risk associated with cyber attacks. The Columbia-based insurance company had the fifth-largest market share of commercial multiple peril insurance in Missouri in 2013, according to a report by the Missouri Department of Insurance.

The policy offers first-party coverage, which covers the direct costs incurred from a data breach, such as legal support and the cost to notify individuals who are affected. The policy also offers third-party coverage, including the cost of possible legal action or lawsuits caused by a data breach.

“Because of the recent breaches of companies like Target and others, the need for data compromise coverage has come to the forefront,” said Kate Stull, a marketing and communications specialist at the Columbia Insurance Group

Industries such as retail, health care and financial institutions are the major buyers of cyber insurance coverage, as they have to handle sensitive data on a much larger scale, including personal health records, bank cards and other bank account information, Born said. The big buyers also tend to come from highly regulated industries, which government agencies watch closely. Since the companies face huge costs for mishandling customer data, they need more insurance to cover the costs.

The growth of cyber insurance is also driven by increasingly sophisticated hackers, who often work in teams across multiple countries, according to a Lockton white paper.

Jimmy John's | Courtesy of Melanie Levi/Flickr
Jimmy John’s was burned by a breach that affected 215 stores nationwide. | Courtesy of Melanie Levi/Flickr

Born said large organizations are most vulnerable to hacking in parts of their information systems where vendors have access.

“You could protect your system to the best of your ability, but if you start letting third parties get into that system, then you’re relying on their safeguards and protections,” Born said.

Many retailers contacted by Missouri Business Alert declined to discuss their cyber insurance. Some insisted that they regard cyber security as their first priority. Applebee’s spokesman Kevin Mortesen said that the Kansas City-based restaurant chain devotes many employees to guarding its customers’ data.

Jimmy John’s declined to comment on its cyber insurance because of lawsuits related to its recent data leaks. Schnucks spokeswoman Lori Willis said the company has purchased cyber insurance, but she refused to comment on it for legal reasons. Schnucks insurers sued the supermarket chain in August 2013 to avoid paying for its breach, according to a report from the St. Louis Post-Dispatch.

In light of these episodes, many old buyers of cyber insurance are now getting more coverage, including both first-party coverage and third-party liability coverage. For big clients of ProWriters, that coverage could be as high as $100 million to $200 million, Thornton said.

He said many smaller businesses, including early-stage startups, have also begun to show interest in cyber insurance.

“People are more aware of this,” Thornton said, “and they are more likely to buy.”


Tags:, , , , , , , , , , , , , , ,

Leave a Reply

Have you heard?

Missouri Business Alert is participating in CoMoGives2019!

Find out how we plan to use your gift to enhance training and programming for our students