Marsh offers limits of more than $300 million on catastrophic cyber policy

Marsh has launched a catastrophic cyber policy for large companies that offers limits of more than $300 million in coverage above a minimum $100 million self-insured retention.

Underwritten by leading cyber insurers and sold exclusively through Marsh, Cyber-CAT provides catastrophic protection for large companies seeking to better manage the growing threat of a cyber-related data disruption or unplanned technology outage, notes a statement issued Thursday by Marsh, a global provider of insurance broking and risk management services and wholly owned subsidiary of Marsh & McLennan Companies.

“The costs associated with a major cyber event or technology disruption can run into the hundreds of millions of dollars for large companies – even those with little to no ‘typical’ privacy exposure,” Bob Parisi, Marsh’s network security and privacy practice leader, says in the statement.

Marsh cites the results of a Ponemon Institute study released in 2013. The results showed the annualized average cost of a cyber-crime from a sample of U.S.-based companies was US$11.56 million. However, a large multinational company could have losses amounting to 10 times that amount or more.

Designed for large public and private institutions capable of taking a $100 million+ self-insured retention, as well as companies that do not have a typical “privacy” exposure, the policy provides coverage over and above what standard cyber insurance policies offer, including physical property damage resulting from a system failure.

There are gaps in traditional insurance coverage, notes information from Marsh, including the following:

•general liability policies traditionally do not cover pre-claim expenses, damage to electronic data, or criminal or intentional acts of the insured or its employees;

•property policies typically limit coverage to damage to/loss of use of tangible property resulting from a physical peril;

•fidelity/crime policies generally limit coverage to direct loss from employee theft of money, securities or other tangible property; and

•errors and omissions policies typically limit coverage to claims arising from negligence in performing specifically defined services and exclude coverage for criminal or intentional acts of insureds or their employees and pre-claim expenses associated with a privacy breach.

Related

Energy insurance market should rethink cyber clauses: Marsh

Insurance industry needs better cyber coverage: Marsh CEO

Cyber-CAT can be customized to include any or all of the following coverages: privacy and security liability, information assets, business interruption coverage (including extra expense), cyber extortion, criminal reward fund, and crisis and event management. Buyers will receive analysis of their company and industry risks, such as proprietary information security self-assessment, risk map and profile, financial benchmarking and loss modeling, and coverage gap analysis.

“Technology disruptions can have more of a material impact on the financial health of a company than even the most adverse weather conditions,” Marsh argues. “Recent cyber-events have shown that a company is not just exposed to hacking, but that the interconnectivity and sharing of data leaves it open to operational challenges – making cyber risk a true operational risk,” it adds.

Marsh cites EisnerAmper’s Fifth Annual Board of Director’s Survey, conducted in the first quarter of 2014, which shows that cyber security and IT risks were the number one concerns for boards of private companies (66%) and a close second for public companies (71%) , compared to reputational risk (74%).

For the largest companies – those with revenue of more than $1 billion – directors serving these companies reported that cyber security (73%) was the top risk, followed by reputational risk (72%).