When Brian Rosenbaum started pitching cyber insurance to companies in 2006, he was met with blank stares from risk managers and resistance from information technology experts, who insisted their networks were impenetrable.
All of that has changed in the past year and a half said Rosenbaum, who heads the cyber insurance division of Aon Corp.’s Canadian brokerage arm.
“We’ve reached a threshold where people are now coming to us instead of us going to them,” said the vice president.
Insurance brokers say the frequency of high-profile data breaches is causing a surge in demand for insurance products that protect against losses stemming from cyber attacks.
On Thursday, U.S. prosecutors charged five people with stealing 160 million credit and debit card numbers from companies including 7-Eleven Inc., JC Penney and French retailer Carrefour, calling it the largest data breach in the country’s history.
Other victims of data breaches in the past few years include Sony’s PlayStation Network, financial institution Citigroup and a number of Canadian government departments.
A breach can be costly. Companies face notifying clients that their personal information has been compromised, offering credit protection services, hiring a crisis management firm and defending against lawsuits.
Aon has placed more cyber insurance policies in just the last 18 months than it did in the previous five years, said Rosenbaum.
“People are beginning to understand that this is a risk that can affect any business.”
Financial institutions, online retailers, hotels and restaurants, health-care companies and educational institutions are driving the demand because of the volume of personal and financial data they collect, said Rosenbaum.
Global insurance broker Marsh Inc. said the number of organizations that purchased cyber insurance in the U.S. shot up by 33 per cent from 2011 to 2012.
“This is the fastest growing area of commercial insurance in the world right now,” said Michael Peterson, a managing director at Marsh Canada Limited.
“Organizations are realizing that the risk is real, that they’re not quite as secure as they thought and, therefore, they’re taking steps to transfer that exposure to insurance companies.”
Brokers, like Aon and Marsh, estimate there are about two dozen Canadian insurers who provide stand-alone cyber network policies. Most of these underwriters provide cafeteria-style policies, in which clients can pick which losses they want to protect against.
Others, such as Encon Group Inc., offer it as an add-on to errors and omissions coverage that can protect companies against claims of negligence.
“There’s definitely an increasing percentage of our errors and omissions clients that are becoming aware of the cyber liability exposure,” said Stefanie McKay, a senior vice president at Encon.
But Canada’s cyber insurance market lags several years behind Europe and the U.S.
McKay attributes this to the fact that Canadian companies aren’t required to report data breaches like their U.S. counterparts.
“It’s growing, it’s just maybe not growing as fast as in some jurisdictions, like the United States,” said McKay.
Brokers say the lack of mandatory reporting is also one of the reasons why actuarial data in the cyber insurance field is so spare.
This can make it tricky for underwriters to know how much risk there is, how much a breach can cost and how to price their policies.
Although cyber insurance has been available in Canada since the late 1990s, it has only become popular in the last few years.
So far, claims have all been settled out of court, so they’re not a matter of public record, said Peterson.
But that’s likely to change.
“There are six or seven class action lawsuits that are working their way through the system right now that will, we believe, actually set benchmarks for cyber claims going forward,” said Peterson.
Brokers say it’s possible that cyber insurance will become a mainstay of every risk manager’s tool kit.
But the insurance products will have to evolve to keep pace with technology.
As new tools — such as mobile banking and cloud computing — create new security issues, insurers will have to reevaluate which risks they are willing to insure their clients against.
“As we continue to develop technology to make life easier, and quicker, for corporations and individuals, we’re going to create new risks and it’s just going to be a ping pong ball going back and forth trying to deal with it,” said Rosenbaum.
Note to readers: This is a corrected story. A previous version had the wrong spelling for Brian Rosenbaum