Could recent data breach wave cause market turning point?

Developments since retailer Target first announced it was the victim of a cyber attack have pointed to a much larger event.

What was an incident potentially affecting 40 million Target customers has grown to a breach affecting as many as 110 million customers—about one third of the US population.

In addition, Dallas-based Neiman Marcus—a high-end retailer—confirmed it, with the help of the US Secret Service, was also investigating a breach uncovered in mid-December. Neiman Marcus said “some” customers’ payment cards were “possibly compromised,” but it offered no other details other than saying it would notify customers if the store knew their cards were used fraudulently.

Target disclosed its breach around the same time, December 19. The third-largest retailer’s point-of-sale systems were hacked from November 27 to December 15.

Whether the timing is mere coincidence has not been determined but Reuters reports, citing unnamed sources, that not only are the retailers’ breaches related but there are “at least three other well-known US retailers” involved.

Also Read: Advisen’s Mary Beth Borgwing writes on the risk management aspects of going public with a breach

The retailers came forth after journalist Brian Krebs released information on his blog based on information he had heard from sources.

In an interview with CNBC, Rep. Maxine Waters, (D-CA), a ranking member of the House Financial Services Committee, said lawmakers “don’t know exactly how many other companies” are involved in holiday-season data breaches, but she adds, “We do know there are three others that I cannot name at this point.”

Now that it appears what had been just another large data breach is either part of something much larger—whether each of these retail cyber breaches are connected or separate events in rapid succession—will the cyber insurance market be affected?

Ben Beeson, partner, global technology and privacy practice at Lockton, told Advisen market impact of the Target cyber breach, when it was first reported as affecting 40 million customers, was likely “negligible, sadly.”

“It’s certainly a buyer’s market,” he said. “Very broad policies are available for not a lot of money. The industry is signing up for a lot of risk. There is a worry for when that big systemic loss does happen.”

John Coletti, vice president and XL Group where he leads the insurer’s cyber and technology E&O underwriting, said cyber insurance policies “aren’t priced right” and “policies are written too broadly.”

New carriers in the marketplace are adding to competition and to an already abundance of capacity in the marketplace, according to sources.

Mark Camillo, AIG’s head of network security and privacy products for the Americas told Advisen earlier this month that insureds could see cyber premium quotes 30 percent to 50 percent lower than five to seven years ago, with broader coverage available.

According to Advisen ADVx Index data, cyber liability pricing has decreased about 6.8 percent since the first quarter 2009 (see chart below). There are about 50-55 underwriters in the cyber insurance marketplace, accounting for about $1 billion in gross written premium.

Advisen Loss Insight is now tracking about 40 lawsuits filed against Target alone, and another class-action suit against Neiman Marcus. The breach at Target is now the largest retail cyber breach ever, according to Advisen Loss Insight. Expenses and litigation costs related to the breach are expected to eclipse the retailer’s insurance coverage.

Sources confirmed reports that Target has about $100 million of cyber insurance, including a $10 million retention. AIG, ACE, Axis and other carriers comprise the Minnesota-based retailer’s insurance tower. Plus, Target has about $65 million in D&O coverage from AIG, ACE and Travelers, said sources.

While some sources said a significant event—a “cyber tsunami” of sorts, as one executive called it—would need to occur to shake the cyber insurance marketplace, Chris Keegan of Willis contemplated another scenario.

“Perhaps four to five large breaches in a row could change the [marketplace] dynamics,” he said, “or a big change in laws and regulations.”

Attention from the recent breaches—all of which have yet to be completely understood—have certainly gained notice from lawmakers from Washington DC to the local levels. State attorneys general are looking into the Target and Neiman Marcus breaches.

Keegan said he has received more calls seeking cyber insurance information since news of the Target breach first broke.

“They are at least considering it,” Keegan said of consumers. “It’s a budget issue—an additional expenditure—and it can take some time for the value to be communicated. These are complex policies that are not always familiar to risk managers.”

AIG ‘s Tracie Grella, global head of professional liability, told the Financial Times the insurer has saw sales increase 30 percent in 2013, compared with 2012.

Bob Childress, CEO of independent agency Solace Insurance in Largo, Fla., said: “Perception is a risk-driver. One to two cases can change the perception, but I don’t think these recent breaches will impact [carriers’] ratios at all.”

The head of the insurance intermediary for small to midsized businesses said an uptick in cyber-insurance buying has been a trend for some time, adding more premiums and “spreading the risk further.” Additionally, more insurers have “jumped into the game.”

According to Willis, eight of the top 15 largest breaches of all time occurred in 2013. The average number of records exposed per breach jumped to 822 million from 260 million in 2012.

“With new breaches reported each day, and more organizations purchasing cyber insurance, cyber carriers are increasingly paying losses,” wrote Tom Srail, vice president at Willis in the FINEX North America E&O and cyber risk team. “Look for market impacts such as deductibles/retentions, premium rates, and insurer appetite to evolve.”