Hacking Threat and Tougher Data Laws Promise Insurance Boom

cyber security computer hacking hacker
John Lund | Getty Images

For European insurers frustrated that "cyber crime" policies have so far failed to find a ready market among skeptical companies, hope may be at hand.

Not only has a huge data loss by Sony dramatically illustrated the risks of hacking raids on corporate data, but the European Union is working on regulatory requirements which threaten heftier fines on unprepared companies.

The net effect for the insurance sector is that its efforts to establish cyber cover as a lucrative business line alongside risks such as weather catastrophes may be about to bear fruit.

In the United States, cyber cover has grown to be a market worth more than $1 billion in annual premiums, but Europe has not yet followed suit, perhaps surprising given a run of high profile, and costly, hacking incidents.

Yet the U.S. growth only came after legislation a decade after insurers first started offering policies to cover so-called "cyber risk."

(Read More: Companies Battle Cyberattacks Using 'Hack Back')

"If I was to compare the U.K. and European market now with the U.S. market, we are where they were back in 2004 to 5," said Stephen Wares, specialist in cyber risk at insurance broker Marsh.

In the U.S., laws forcing companies often at considerable cost to inform people if their private details had been compromised, led to a boom in cyber cover starting in around 2005, Wares said.

Now European lawmakers are promising bigger fines for companies that lose data, just as hackers step up illicit mining for sensitive information, driving a market for insuring against mounting financial risks.

The issue came into focus in the U.K. after a 2011 breach of Sony's PlayStation video game network that led to the theft of millions of names, addresses and possibly credit card details.

Legal Standards

In January, British data protection watchdog the Information Commissioners Office fined Sony 250,000 pounds ($391,500) after finding the attack could have been prevented if software had been up-to-date.

"That was the regulator really baring its teeth," said Henry Sainty, partner and specialist in media and technology at law firm Farrer & Co.

The European Commission is hoping to reform from 2014 data protection rules that could slap far larger penalties, possibly up to 2 percent of a company's global annual turnover, on firms found to have fallen short of legal standards.

(Read More: Twitter Ups Securityto Prevent Further Hacking)

Rafi Azim-Khan, partner at global law firm Pillsbury and head of data privacy practices in Europe, said these proposed new rules "should keep CEOs awake at night ... It should now be quite clear that data protection due diligence should be a boardroom issue, not a backroom issue."

Warnings over the scale of the issue are not hard to find.

A guide to cyber risk for companies backed by British secret intelligence center GCHQ highlighted the example of an unnamed pharmaceutical group which spent five years and 1 billion pounds ($1.56 billion) developing a new product. Hackers stole the research and a foreign competitor eventually released a cheaper version.

According to a recent U.K. government report, 93 percent of large businesses—defined as employing more than 250 staff—had a security breach during 2012 and affected firms saw 50 percent more such attacks than the previous year.

The research also found the average cost to a large organization of its worst security breach during the year ranged between 450,000 pounds ($707,100) and 850,000 pounds.

But in some cases, the costs can magnify to many times these figures, once damage repair, legal liabilities and fines are taken into account. There is also an unquantifiable impact from reputational damage.

Personal Data

Laila Khudairi, an underwriter for Kiln Group working at the Lloyds of London insurance market, said the costs resulting from a data breach can run into millions.

"An intrusion can prove very costly ... determining the scope of a breach and remediating the problem, such as removing a (computer) virus, can reach into millions of dollars," she said.

Insurers say demand is concentrated currently among companies in sectors holding personal or financial data useful to criminals such as healthcare companies, financial institutions and retailers.

(Read More: Hacker Claims Airplanes Vulnerable at 30,000 Feet)

Insurers contacted by Reuters about how many of their corporate clients have cyber cover put the proportion between 5 and 12 percent, compared with at least 30 percent in the United States.

Some industry insiders note rising demand for insurance does not yet yield big returns for insurers. And some warn the risks are difficult to quantify because they are still not well understood.

"It is very much a moving market out there ... The nub of it is it's quite difficult to price," said Nigel Spencer, a global development manager at U.K. insurance group RSA.

In the United States, the cyber insurance market is worth about $1.3 billion in annual premiums, up nearly a third since 2012, according to a report by Betterley Risk Consultants.

Though growing, this is still a small fraction of a non-life U.S. insurance market estimated to be worth about $667 billion in premiums by industry communication group the Insurance Information Institute.

Expectations the U.K. and European markets will converge with the United States are prompting many to invest in their capacity to develop suitable products to meet the new demand.

"We've got a specific head of data risks in the U.K. organization and we're skilling-up our cross-class underwriters to handle data risk," said Matthew Webb, an underwriter at Hiscox. "We're constantly monitoring the situation."