Should individuals buy insurance against cyber attacks?

Cyber cover has been one of the hottest topics in the insurance world for the past few years. Insurers have been tripping over each other to offer policies that protect their customers against the worst that cyber criminals can throw at them.

Those customers have been exclusively in the corporate world, with companies insuring themselves against the kind of attacks faced by retailers including Home Depot, Staples and Tesco, TalkTalk, the telecoms company, Equifax the consumer credit reporting agency and countless others.

Earlier this year, however, US-based AIG launched FamilyCyberEdge, a policy aimed at individuals. It was a pioneer in the field, but is not the only one. Others including UK-based Hiscox and Munich Re-owned Hartford Steam Boiler have also been rolling out personal cyber insurance.

They all think the market has huge potential.

“We’ve seen an explosion of interest from our brokers and agents, and from financial advisers,” says Anna Brusco of AIG’s private client group.

AIG and its peers have developed products that cover anything that could go wrong with a customer’s own IT systems. AIG’s cover ranges from data restoration after an attack to advice if the customer is a victim of cyber extortion or cyber bullying. It will also cover reputation management that will pay out on the cost of hiring a crisis consultant if compromising photos or texts are leaked from a hacked device.

Hiscox’s personal cyber insurance covers similar risks. “It is a service-driven proposition,” says Stephen Ridley, a senior underwriter specialising in cyber and data at Hiscox. As well as providing insurance, the company helps customers improve their personal cyber security. “We work with Dynarisk, an online risk management tool, which can provide an individual with a score and tips on how to improve it.”

The products go beyond the identify theft protection sold by Lifelock, a company that was bought by Symantec last year for $2.3bn.

Hiscox and AIG have aimed their personal cyber insurance at rich individuals, who may have a lot to lose if their systems are attacked.

“High-net-worth families and individuals take on commercial-type exposures,” says Jerry Hourihan, president of the private client group at AIG. “AIG has developed a well of commercial cyber expertise, and we are bringing that to [wealthy individuals].” AIG said its cyber cover would cost around 10 to 15 per cent of the cost of a home insurance policy.

Hartford Steam Boiler — which sells its product via other insurance companies — believes that its cyber policy, which costs as little as $30 per year, could have an appeal beyond the very rich.

“All the major homeowner [insurers] are anxious to provide some sort of cyber offering,” says Tim Zeilman, a cyber insurance specialist at Hartford Steam Boiler. “People seem to think that it is going to be a standard part of homeowner’s cover in the next five to 10 years.”

“People seem to think that it is going to be a standard part of homeowner’s cover in the next five to 10 years.”

Tim Zeilman, a cyber insurance specialist at Hartford Steam Boiler
While banks, retailers or credit card companies can sometimes be held responsible for losing their customers’ data, he says, they cannot be relied upon to cover the costs of everything that might go wrong. In cases of fraud and ransomware, for example, individuals might find themselves liable for the costs.

“Cyber is an easy thing to talk to, and to persuade people that they need because of the constant media attention,” says Mr Zeilman.

Not everybody is convinced that we should be buying our own cyber insurance, however. Josephine Wolff is an assistant professor at the Rochester Institute of Technology in the US. She says that, for most people, personal cyber insurance is not necessary.

“If you are a very high-net-worth individual, then it is possible that this would make sense. For other people the costs [of a cyber attack] are not so high.”

She adds: “It is very hard to put price tags on breaches, especially how they affect individuals. Most of the time the individuals are not on the hook — the charges are absorbed by banks, retailers or payment companies.”

She worries that, if personal cyber insurance becomes widespread, then it will send the wrong message to the companies who hold data, effectively discouraging them from investing in their own IT systems. She is also concerned about insurers paying out for ransom demands. “Systemically, it does not put in place the right incentives,” she says.

Despite those doubts, people involved with cyber insurance believe that in future it will be a regular purchase as homes become more connected.

“A typical home we insure has 20 devices that are WiFi enabled and vulnerable to hacking,” says Mr Hourihan. “It is our job to be on offence to help people understand what the risks are.”

Mr Ridley says that the key to the expansion of the personal cyber insurance will be finding the right routes to market. “If may be something to be bought alongside your bank account, just as you have accounts that include travel insurance,” he says.

“Insurance premiums are not going to be huge, so insurers will have to partner with banks and other consumer groups.”

https://www.ft.com/content/72e11ca6-98ad-11e7-8c5c-c8d8fa6961bb