The holiday hacker attack on Target Corp. was a nightmare for the retailer, but it has delivered a giant gift to insurers that sell With vulnerability to hacking in stark relief, insurance brokers say sales of cyberinsurance have picked up sharply this year. The interest is coming from a diverse mix of customers, including public schools in Ann Arbor, Mich., which in February acquired $1 million in cyberspecific coverage for the first time, from a unit of Zurich Insurance Group AG.
"You hear in the news of all those things happening, and we just wanted to make sure that our employees would be covered in case of a breach," said Nancy Hoover, a school-district finance official. The district is adopting new human-resources and payroll software and was concerned its potential risk was increasing, she said. The policy's annual premium is $21,400, and it covers the cost of services to monitor credit-card accounts, among other potential expenses.
Insurers have pushed the coverage hard for a while, and this year may be an important turning point. "The Target data breach was the equivalent of 10 free Super Bowl ads," said Randy Maniloff, an insurance-industry lawyer with White & Williams.
In December, the retailer said hackers stole tens of millions of credit- and debit-card numbers in the data breach. Then, in early January, Neiman Marcus Group disclosed that it, too, had been victimized last year.
Just last week, another incident surfaced. The California Department of Motor Vehicles said it is investigating a potential breach of its credit-card processing systems.
Many policies cover the costs of investigations, customer notifications and credit-monitoring services, as well as legal expenses and damages from consumer lawsuits.
Aon AON -0.73% PLC estimates that annual industry premiums for cyberspecific coverage last year totaled about $1 billion, a new high, up from $675 million in 2012. About 70 insurers sell the coverage. Besides Zurich Insurance, they include American International Group Inc., AIG -1.22% Chubb Corp. CB -0.38% and syndicates at Lloyd's.
Also heating up the market is a February ruling by a New York state court against Sony Corp. 6758.TO +0.53% in a dispute over whether standard liability policies should pay some of the costs stemming from a 2011 attack of its online videogame services. The opinion bolsters the need for a distinct cyberpolicy, some lawyers said. The policies Sony sought to tap don't mention hacking attacks. The court ruled in favor of Zurich and Mitsui Sumitomo Insurance Co. of America, deciding that it wouldn't interpret the language to obligate them to pay to defend Sony in lawsuits. Sony declined to comment.
Increasingly, general-liability insurers are expected to adopt language specifically excluding damages arising out of cyberattacks, industry executives said.
There also is a growing pool of customers, as even small businesses "are transacting more of their business online [and] have many of the same exposures as a company like Target, just on a smaller scale," said Robert Hartwig, president of trade group Insurance Information Institute.
Even with all the hacking headlines, insurers will have to persuade buyers that cyberpolicies are worth up to about $35,000 a year for $1 million of coverage, depending on various factors.
Linda Kornfeld, a partner at Kasowitz, Benson, Torres & Friedman, said policies are "still far from being perfected" and clients must assess if they will "even cover a company's greatest risks."
At the Marsh brokerage unit of Marsh & McLennan Cos., cyber-related sales in January and February were "on par for what we did in the first half of 2013," said Bob Parisi, who heads the Network Security and Privacy Practice. The recent high-profile breaches were "a watershed event," he said. They "kind of brought it home, frankly, to boards of directors."
Kevin Kalinich, a senior executive at Aon Risk Solutions, said inquiries from potential buyers have tripled since the recent hackings and a greater portion of callers are buying. Before, "we were selling 1.2 policies for every 10 inquiries," he added. "Since, it is 4.2 for every 10 inquiries."
Health-care, financial, retail and technology businesses buy policies that can top $200 million in coverage in arrangements involving a half-dozen or so insurers, brokers said. Many insurers have limits on how much risk they will take and the scope of coverage varies, Mr. Kalinich said.
Target is among retailers with the coverage-and is counting on payouts, according to a March regulatory filing. It said it maintains $100 million of "network-security insurance" above a $10 million deductible, and had booked a $44 million receivable "for costs we believe are reimbursable and probable of recovery," partially offsetting $61 million of expense relating to the attack.
Some businesses are motivated to buy the coverage after experiencing their own breaches, should new problems develop. South Shore Hospital in Weymouth, Mass., obtained a cyber-risk policy after a 2010 incident in which data tapes with health information of hundreds of thousands of consumers were lost, a spokeswoman said.
For the financial-services industry, "cyberthreats are a constant reality," said Chief Information Security Officer Mark Clancy at Depository Trust & Clearing Corp. The company has had specialized coverage for just over a year that covers some of its potential cybersecurity risks.
Insurers have "a fairly formidable challenge" pricing the specialized policies in the absence of historical data, Mr. Clancy said. "It's a very interesting problem they have to work through."