24 July 2011

Cybercrime insurance

Ben Berkowitz at Reuters notes that Zurich American Insurance Co, one of Sony's insurers, has asked a New York state court to declare that it does not have to pay to defend Sony from legal claims related to a large-scale data breach noted earlier this year.

Zurich American's filing seeks a ruling that it is not required to defend or indemnify Sony against any claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general." The insurer has concurrently sued units of Mitsui Sumitomo Insurance, AIG and ACE asking the court to clarify their responsibilities under various insurance policies written for Sony, apparently in an effort to secure the involvement of all Sony insurers if the Court finds that there is a duty to defend.

There has been speculation that although Sony may be able to claim property damage as a result of the data breach, Zurich American is likely to argue that the general liability insurance written for Sony was not intended to cover digital attacks and is not enforceable.

Sony noted in May this year that it was looking to its insurers to help pay for the data breach. Exposure of data is forecast to cut the group's operating profit by 14bn yen (US$178m) in the current financial year, including costs for boosting security measures. That figure does not include potential compensation of customers.

Berkowitz elsewhere comments that rates for cybersecurity insurance have declined because of competition among new entrants to the market -
A series of high-profile data breaches at companies including Sony Corp and Citigroup have drawn sudden attention to "cyberinsurance," which covers everything from the cost of notifying customers their data has been breached to the cost of defending against those customers' lawsuits.

A number of brokers told Reuters in early June that their phones were ringing off the hook, with some customers seeking coverage limits of up to $200 million for new policies. Such huge limits are noteworthy, since less than 5 percent of all data breaches cost more than $20 million.

Yet despite all that demand, there has also been a marked increase in the number of insurers willing to write such policies. Travelers Companies Inc, one of the largest property and casualty insurers in the world, launched its own program last month, and others like Chubb Corp are increasingly aggressive in the market as well.

"We see a major player come into the space once a quarter, once every other quarter, so capacity continues to exceed demand," said Bob Parisi, a senior vice president in the financial and professional liability practice at Marsh, a unit of Marsh & McLennan.

"You've got $100 million, $200 million in capacity chasing $25 million in risk. It's the undiscovered country, everyone's looking for a growth area.
Insurers are still developing standards -
"You're insuring all the nonsmoking, low-cholesterol iron workers - they do something inherently dangerous but they're well-trained and they're all healthy," Parisi said, by way of an analogy to describe how insurers approach cyber risk.

Of all the categories of coverage that exist, Marsh said the biggest increase in claims during the most recent quarter was for privacy-related claims, such as notifying customers their data had been breached and giving them credit monitoring and identity theft services.

A year of credit monitoring services has been become a standard offering from companies to their customers after a data breach, consumer advocates say.