Banks have been able to buy coverage against the financial and reputational costs of data-security breaches for more than a decade. It's only in the past few years, however, that the insurance industry has begun expanding the scope of such coverage and edging toward de facto standards for what is insured and how much it costs.
The actuarial basis on which premiums are set remains sketchy to bankers and others on the outside. But what's covered has become fairly standard. That includes the cost of security breakdowns caused by low-level employee misconduct and protection against the loss of data that was in the hands of outside vendors.
When breaches occur, insurers now typically cover the cost of credit monitoring and other services. In previous iterations of so called "cyber insurance," these features were not always clearly covered.
"Money goes out to cover crisis management, regulatory notifications, computer forensics, PR people, lawyers and a whole cadre of vendors," says Richard Bortnick, a Philadelphia-based attorney with Cozen O'Connor, who helps banks acquire such insurance. "The policy coverage is broader than it's historically been."
Cyber insurance fills gaps in banks' traditional liability and business insurance policies, which typically cover only physical losses and direct costs, such as robberies, fires and lawsuits.
Plenty of questions remain about how cyber policies are priced, but insurers and brokers say the market's been expanding at a rapid clip anyway, thanks to heightened breach disclosure requirements and a patchwork of state regulations that requires banks to compensate clients for damages suffered as a result of data breaches.
Marsh, a major data-breach insurance broker, says around one-third of its financial institution clients hold such policies. It expects the market to grow 15% annually over the next few years, driven in part by regulatory pressures.
Last October, the Securities and Exchange Commission declared that public companies of all stripes must include the costs of data breaches in financial reports and disclose to investors the extent of their data-theft vulnerabilities. That, in turn, has raised awareness of related risks, insurers, brokers and attorneys say.
Because data-breach coverage remains an immature product, specifics on the scope of the market remain scarce. Nor are insurers anxious to divulge the details of what they charge or how much it costs them to provide coverage. What's more, the filings that insurers make with state regulators typically lump in data breach coverage with other forms of commercial insurance.
Industry sources peg the value of the overall cyber-insurance market - which includes healthcare providers and retailers, as well as financial institutions - at anywhere from $500 million to $1 billion a year in premiums paid.
For their part, insurers are still working to gauge the risk of covering banks, says Robert Parisi, a senior vice president at Marsh's Financial and Professional Liability Practice. Among the insurers that have pursued the business most aggressively are Chubb, Chartis and Beazley. Other carriers have balked at taking on financial companies as clients, regarding them as overly attractive targets.
The companies anxious to sell coverage go to considerable lengths to impress potential clients with its value. Chartis offers a lengthy list of recent payouts.
"A rogue employee used a personal USB drive on the company computer system to steal and sell the identities of over 4,000,000 customers and applicants," one anonymous claim scenario says. The episode triggered a settlement north of $15 million for credit monitoring and identity theft insurance for consumers, Chartis adds.
The cost of such protection can vary greatly, in part based on insurers' evaluation of how well banks have addressed their own risks.
"I've seen the price per million dollars of coverage as low as $5,000 and as high as $65,000," says Marsh's Parisi. "It's not like workers comp, where the main determinant is the type of work and how many workers you have. This is still highly specialized, highly focused, very subjective underwriting."
Individual insurers generally cap coverage at about $20 million, but brokers can bundle multiple insurers to create policies worth many multiples of that. Small banks are increasingly a target of their sales efforts, according to Bortnick and Parisi.
Market share data is lacking, but both say one big player in the area is Beazley, which began offering a combined insurance and data-breach response package to community banks and credit unions around the beginning of 2011. Under Beazley's terms, a financial institution suffering a breach notifies it of the breakdown, and the insurer hires lawyers, forensic firms and credit monitoring servicers necessary to handle the problem.
"A lot of smaller institutions don't have a good sense of how to comply with the laws if there's a breach," says Bob Wice, an underwriter for Beazley's specialty insurance business.
Wice, Bortnick, and Parisi all declined to name individual bank clients for the insurance. The absence of legal disputes over such policies seems to reflect a level of satisfaction with the coverage, as well as its relatively broad boundaries, says Bortnick. With the market still in its early stages, insurers are also averse to get into public spats over policy limits.
"Because the product is still developing and everyone in the insurance industry wants to get in, you need to be seen as taking care of your policyholders," Bortnick says. "If you become known as someone who denies claims, nobody's going to be buying from you."