A high-profile hack at JPMorgan – to say nothing of monstrous breaches at Sony and Home Depot – has made cybersecurity a daily concern for executives at big banks and corporations. One partial protection is to take out insurance. It’s a confusing market, but growing fast. With a U.S. government campaign on top of all the publicity, coverage may become standard.
The recent break into the internal email servers of Sony Pictures and the subsequent WikiLeaks-like data dump, stated by the FBI to be the work of North Korean hackers opposed to a comedy depicting the assassination of Kim Jong Un, may prove costly as well as embarrassing. But the Japanese conglomerate already knows that the failure to secure personal data can be expensive: it shelled out $171 million to cover a 2011 breach of its PlayStation Network.
Yet that pales beside the possible fallout for a big bank like JPMorgan, which suffered a hack potentially exposing certain data for up to 83 million accounts. That’s where the government is focusing its efforts, with a Treasury official in December publicly urging banks to get insurance.
There are dozens of underwriters offering cyber-related cover. It’s a market on track to double in 2014 to $2 billion of gross premiums in the United States, according to Marsh & McLennan. The frequency of relevant events ticked up sharply last year to about 10 times the rate a decade ago, according to Advisen, a provider of data and analytics to insurers. Yet there are also dozens of different structures and definitions of insurance on offer.
That’s where efforts by the banks and Washington may combine to create a bigger, more standardized market for cyberinsurance. That would provide financial cover for at least some of the liabilities arising from hacks. And if the criteria for getting insurance include demonstrating a base level of what Treasury Deputy Secretary Sarah Bloom Raskin called “cyber-hygiene” then it may also improve security, to a point.
But the bad guys are always going to be a step ahead. While governments no doubt want banks to have insurance, part of the motivation may also be to avoid ending up on the hook – just as the Feds have become for terror risks under the Terrorism Risk Insurance Act, which Congress failed to extend before the end of its last session of 2014.
The message to banks and insurers may be to get together and figure out coverage. But the companies involved still need to invest in cyber-protection and detection. Whether from North Korea or elsewhere, the threat will only increase in the coming year.
This view is a Breakingviews prediction for 2015. Click here to see more predictions.