After a recent cyberattack cost the uninsured shipping giant hundreds of millions of dollars, FedEx is exploring cyber insurance.
A recent cyber attack that disrupted service at FedEx’s Dutch affiliate TNT Express unit has cost the package-delivery company $300 million in its most recent quarterly profits. But without cyber risk insurance, the incident could cost the shipping company much more.
In June, FedEx fell victim to the NotPetya virus, which reportedly spread from a Ukrainian tax software product and temporarily shuttered shipping ports, factories, and corporate offices throughout the world. Although FedEx officials said that TNT Express has since resumed operations, its volume, revenues, and profits have yet to recover completely.
FedEx further admitted that it’s begun to consider purchasing cyber insurance, a line of coverage it hadn’t previously owned. “We are re-examining where the market is,” Chief Financial Officer Alan Graf said during a conference call. “We think it’s getting deeper and we are going to go out and see if there is something that we can develop that would add protection for our company at a reasonable price.”
Cyber Insurance Market Growing
The FedEx security breach reflects a growing trend of major companies being hit by hackers who want either money or access to personal data held by those organizations. It also highlights the importance of sufficient coverage, since these attacks can carry crippling costs.
Last month, Nationwide Mutual Insurance Co. and its subsidiary Allied Property & Casualty Insurance Co. agreed to pay $5.5 million to 33 states to settle a 2012 data breach that exposed the personal information of 1.27 million people. In June, health insurer Anthem paid out $115 million to settle losses resulting from a 2015 hack that revealed the personal information of approximately 79 million, reportedly the largest settlement ever for a security hack at that time.
Anthem’s total may soon be eclipsed by Equifax. After hackers gained access to company databases containing the personal data of more than 143 million Americans, Bloomberg reported that the credit agency is insured for $100 million to $150 million, likely far less than its total losses.
By shining a spotlight on the massive cost of a cyber attack, insurance experts expect more organizations to purchase coverage — or at least investigate their potential risks. “This [Equifax] data breach should drive continued cyber insurance growth within the P&C industry, causing organizations of all sizes to reevaluate their insurance and cyber security strategy,” David Derigiotis, Vice President of the Professional Liability Center of Excellence at insurance wholesaler Burns & Wilcox told PropertyCasualty360.com.
Even before the high-profile attacks on Equifax and other major corporations, the cyber insurance sector recorded significant growth. Fitch Ratings reported that property and casualty insurers wrote $1.35 billion in direct premiums for cyber insurance in 2016, a 35% increase from the previous year. Fitch added, however, that its figures may underestimate the actual total because cyber security coverage might be part of a multi-line package rather than a standalone policy.
Cyber insurance typically covers regulatory and civil penalties, business interruption expenses, and system repair costs. It also reimburses organizations for extortion payments as well as the price tag for notifying affected parties.
Not Just for the Big Guys
Given media coverage of security breaches at major, worldwide corporations, many small or midsized business owners may mistakenly believe that they don’t require cyber insurance. The reality is that any business that oversees a large amount of personal data from clients — such as an insurance agency — is vulnerable to a cyber attack. In addition to insuring costs related to cyber attacks, purchasing cyber insurance can also force businesses to review and strengthen their network security measures.
The Ponemon Institute calculates the average cost of a cyber attack on a small business is $690,000. For mid-sized companies, the amount rises to over $1 million. What’s more, the National Cyber Security Alliance reports that 60% of smaller companies cease operations six months after an incident.
Herb Davis, VP at Smith-Berclair Insurance in Memphis, told the Memphis Daily News that he urges more small businesses to purchase cyber insurance policies. “Criminals like to go after the low-hanging fruit,” he said. “And small businesses represent the low-hanging fruit.”