The market capacity for cyber insurance is not large enough to adequately cover the risk, according to
AIG CEO Peter Hancock.
Speaking at an event at New York University, Hancock told listeners that the amount of cyber liability coverage currently being offered by insurance carriers will only cover a fraction of the damages that occur during and after a data breach.
“The largest coverage I’m aware of is for a bank that has about US$400 million in coverage which is very small when you think about it,” said Hancock.
“When you compare it to the amount of capacity that’s available for a complex chemical plant, refinery, offshore oil platform, the numbers are much, much higher.”
It’s hard to argue against the point considering the 2013 Target data breach cost the company US$252 million in expenses, only US$90 million of which was covered by the company’s cyber policy.
That left Target responsible for US$162 million—more than 64% of the cost.
Technically, the largest policy currently available on the market offers coverage limits of up to US$500 million, according to Robert Parisi, cyber product leader for
Marsh.
Parisi told the
Wall Street Journal that in general, large cyber insurance policies are only written for about US$100 million to US$200 million.
The lack of capacity is especially seen in the retail, healthcare and education industries, as well as in the public sector.
Brokers may have reason to be hopeful, however.
Cyber insurance is one of the fastest growing products in both the standard and excess and surplus markets, and Marsh believes the amount of coverage available for cyber policies will increase over time—and likely quickly.
Hancock, too, supports this view.
“The willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures,” Hancock said at the event.
