By Luciana Lopez
NEW YORK (Reuters) - Even as the Sony Corp <6758.T> cyber attack laid bare the kinds of vulnerabilities that typically drive companies to buy insurance policies, the lack of a risk model for insurers means such protection is not always easy to get.
Unlike earthquakes, tornadoes or even terrorism, there are no existing models to calculate how much a so-called "cyber hurricane," cutting across a swath of companies, could cost. Without that, insurers cannot be sure how much risk they can afford to underwrite.
At least two risk modelling companies, RMS and AIR Worldwide, are trying to solve that puzzle, building a model that can help gauge how much havoc – in dollars and cents – such cyber breaches can cause.
"Everybody's being attacked at this point," said Scott Stransky, manager and principal scientist at AIR Worldwide. "We're hoping to change that game."
While high-profile attacks at retailers such as Target Corp and Home Depot Inc this year have spooked consumers, the devastating cyber attack on Sony hammered home that plenty of damage can be done beyond stolen credit card numbers.
"Sony has become a watershed event," said Kevin Kalinich, global practice leader for cyber/network risk at Aon, a consultancy and insurance brokerage.
The insurance industry has been banging the drum about the breadth of cyber risk for 10 to 15 years, Kalinich said. "Finally we've gotten their attention."
In a 2014 study, the Ponemon Institute and IBM found that the average total cost of a breach in the United States was $5.9 million.
Major attacks can cost far more. The Sony attack could cost as much as $100 million, according to one estimate. In August retailer Target reported gross expenses of $148 million related to a December 2013 breach.
A 2014 McAfee study estimated cybercrime cost the global economy anywhere from $375 billion to $575 billion annually.
The United States is largely a mature insurance market, with coverage for cars, homes and other risks common. But cyber is a new frontier for insurance companies looking to grow. While estimates vary widely for how many U.S companies carry policies for such risks, the data suggests room for growth.
A 2013 survey from insurance industry data company Advisen and insurer Zurich found 52 percent of companies say they purchase at least some cyber liability coverage.
However, a Fortune 1000 survey that same year from insurance broker Willis found a far lower number, at only 6 percent, though Willis noted cyber coverage is likely under-reported.
Part of the problem with figuring out who's protected against a breach is the same as figuring out how to protect them in the first place: No one wants to talk about having been hacked.
It's unlike, say, with typhoons, for which there is readily available data stretching back decades. There is no such record for cyber attacks, and data is the lifeblood of modelling.
"Getting the historical data for cyber is a huge challenge," AIR's Stransky said. The firm is developing a model that it hopes to bring to market within "much sooner" than five years, although he would not say how much sooner.
Another speed bump: The constantly evolving nature of cyber attacks. Because hackers are constantly devising new ways to get into systems – from basic social engineering like guessing simplistic passwords to sophisticated viruses – any risk model must be dynamic.
A completed model could potentially do something no one seems able to figure out: understand what a cyber event might look like across not just one company, but, as with a large-scale weather event, across many companies or industries.
That possibility comes ever closer to reality. A breach at a major cloud provider, for example, could sow disaster among hundreds or even thousands of companies.
RMS is talking to insurers with an eye to developing a model that can start gauging probabilities of widespread attacks as early as next year, said Andrew Coburn, a senior vice president with the firm.
A working model, he said, could help insurers feel more confident in underwriting more of this kind of risk.
"They've been writing relatively low limits," he said. "It's an issue that the insurance industry needs to grapple with."
(Reporting by Luciana Lopez; Editing by Jennifer Ablan and Dan Grebler)