* European insurers look to offer cover against cyber threat
* U.S. cyber cover premiums more than $1 bln annually
* Data loss by Sony illustrates risk of hacking raids
* EU promising bigger fines for companies that lose data
By Chris Vellacott
LONDON, June 20 For European insurers frustrated
that "cyber crime" policies have so far failed to find a ready
market among sceptical companies, hope may be at hand.
Not only has a huge data loss by Sony Corp
dramatically illustrated the risks of hacking raids on corporate
data, but the European Union is working on regulatory
requirements which threaten heftier fines on unprepared
The net effect for the insurance sector is that its efforts
to establish cyber cover as a lucrative business line alongside
risks such as weather catastrophes may be about to bear fruit.
In the United States, cyber cover has grown to be a market
worth more than $1 billion in annual premiums, but Europe has
not yet followed suit, perhaps surprising given a run of high
profile, and costly, hacking incidents.
Yet the U.S. growth only came after legislation a decade
after insurers first started offering policies to cover
so-called "cyber risk".
"If I was to compare the UK and European market now with the
US market, we are where they were back in 2004 to 5," said
Stephen Wares, specialist in cyber risk at insurance broker
In the United States, laws forcing companies often at
considerable cost to inform people if their private details had
been compromised, led to a boom in cyber cover starting in
around 2005, Wares said.
Now European lawmakers are promising bigger fines for
companies that lose data, just as hackers step up illicit mining
for sensitive information, driving a market for insuring against
mounting financial risks.
The issue came into focus in the UK after a 2011 breach of
Sony's PlayStation video game network that led to the theft of
millions of names, addresses and possibly credit card details.
In January, British data protection watchdog the Information
Commissioners Office fined Sony 250,000 pounds ($391,500) after
finding the attack could have been prevented if software had
"That was the regulator really baring its teeth," said Henry
Sainty, partner and specialist in media and technology at law
firm Farrer & Co.
The European Commission is hoping to reform from 2014 data
protection rules that could slap far larger penalties, possibly
up to 2 percent of a company's global annual turnover, on firms
found to have fallen short of legal standards.
Rafi Azim-Khan, partner at global law firm Pillsbury and
head of data privacy practices in Europe, said these proposed
new rules "should keep CEOs awake at night ... It should now be
quite clear that data protection due diligence should be a
boardroom issue, not a backroom issue."
Warnings over the scale of the issue are not hard to find.
A guide to cyber risk for companies backed by British secret
intelligence centre GCHQ highlighted the example of an unnamed
pharmaceutical group which spent five years and 1 billion pounds
developing a new product. Hackers stole the research and a
foreign competitor eventually released a cheaper version.
According to a recent UK government report, 93 percent of
large businesses - defined as employing more than 250 staff -
had a security breach during 2012 and affected firms saw 50
percent more such attacks than the previous year.
The research also found the average cost to a large
organisation of its worst security breach during the year ranged
between 450,000 pounds ($707,100) and 850,000 pounds.
But in some cases, the costs can magnify to many times these
figures, once damage repair, legal liabilities and fines are
taken into account. There is also an unquantifiable impact from
Laila Khudairi, an underwriter for Kiln Group working at the
Lloyds of London insurance market, said the costs
resulting from a data breach can run into millions.
"An intrusion can prove very costly ... determining the
scope of a breach and remediating the problem, such as removing
a (computer) virus, can reach into millions of dollars," she
Insurers say demand is concentrated currently among
companies in sectors holding personal or financial data useful
to criminals such as healthcare companies, financial
institutions and retailers.
Insurers contacted by Reuters about how many of their
corporate clients have cyber cover put the proportion between 5
and 12 percent, compared with at least 30 percent in the United
Some industry insiders note rising demand for insurance does
not yet yield big returns for insurers. And some warn the risks
are difficult to quantify because they are still not well
"It is very much a moving market out there ... The nub of it
is it's quite difficult to price," said Nigel Spencer, a global
development manager at UK insurance group RSA.
In the United States, the cyber insurance market is worth
about $1.3 billion in annual premiums, up nearly a third since
2012, according to a report by Betterley Risk Consultants.
Though growing, this is still a small fraction of a non-life
U.S. insurance market estimated to be worth about $667 billion
in premiums by industry communication group the Insurance
Expectations the UK and European markets will converge with
the United States are prompting many to invest in their capacity
to develop suitable products to meet the new demand.
"We've got a specific head of data risks in the UK
organisation and we're skilling-up our cross-class underwriters
to handle data risk," said Matthew Webb, an underwriter at
Hiscox. "We're constantly monitoring the situation."