Cyberliability exposures will continue to grow, with claims costs more likely to run into the millions, regardless of how many individuals can prove personal damage from a data security breach, experts in this evolving market warned.
“Claims costs can quickly multiply even without proof of actual damage to anyone’s identity or personal finances,” according to James Rhyner, vice president and worldwide lawyers professional product manager for Chubb Group, based in Warren, N.J.
While moderating a panel—“Bermuda: Not Just D&O”—here earlier this week at a Professional Liability Underwriting Society conference, Mr. Rhyner cited the spiraling expense for notification and credit monitoring incurred by organizations that expose the public to identity theft if their data is lost or stolen.
“You have to let people know their privacy has been compromised,” said Stuart Anderson, vice president of Bermuda-based AIG Excess International. “Free credit reports must be offered, at $20-to-$40 per person. You have to set up a call center to answer questions and field complaints. And that’s before there are any actual liability claims.”
More insurance is available for such exposures, including from Bermuda firms, but underwriters are being very conservative with their capacity until they get a better handle on the risk, Mr. Anderson noted.
“This is the Industrial Revolution times 50, and the insurance industry is still trying to catch up,” he said.
“Cyberliability is still such a nebulous, evolving concept,” added James Loder, vice president of underwriting for XL Insurance (Bermuda).
Cyberliability coverage is triggered whenever an organization puts private information at risk, either because a computer system is hacked, or someone loses a laptop or flashdrive containing personal data, the panelists noted.
“It’s shaping up to be a low-frequency, high-severity event right now,” according to Mr. Anderson, “but as the law catches up with the risk, and as public awareness is more widespread, the frequency of the claims will become more of a problem.”
As the soft property-casualty market tempts insurers to expand their reach into new markets to boost revenue, Mr. Anderson warned carriers against “dabbling” in cyberliability exposures.
“Cyberliability is very technically challenging to write,” he said. “Don’t just dip your toe into this market without the proper expertise. You’ll need people with serious technological know-how to advise you about patches, firewalls and the like.”
Risk managers face a broader exposure beyond cyberliability when discovering a data breach, according to Lorene Philips, vice president of Bermuda’s Allied World Assurance Company.
“There is a reputational risk to deal with. It’s tough to admit publicly that your organization has a data security issue,” she noted, adding that a breach could discourage customers from doing further business with the company.
She cited as the “poster child” for cyberliability the problems faced by retailer TJ Max, which discovered a breach of its transaction processing network, affecting as many as 100 million credit and debit card accounts. She estimated that it “could cost north of $150 million to eventually revolve” all of the resulting claims.
On the plus side for insurers, this high-profile case “prompted an uptick in interest in cyberliability insurance products, with some buying it for the first time and others increasing their existing coverage,” Ms. Philips noted.