It’s been reported that the alleged hacker behind the Capital One data breach may have also hit other major companies, which if true, could result in the largest cyber loss event the insurance industry has ever seen.
On July 29th, 2019 Capital One said that an individual accessed its IT systems, which led to the loss of personal data associated with 106 million customers, 100 million in the U.S. and 6 million in Canada.
The hacking and data breach is one of the largest ever in the banking and finance universe, and Capital One has said that it expects the cyber attack to drive incremental costs of between $100 million and $150 million in 2019, which is mostly for customer notifications, credit monitoring, technology costs, and legal support.
Capital One, a U.S. and global banking and personal finance group, explained that it has a $400 million cyber insurance tower in place to protect it against “certain costs associated with a cyber risk event.” This tower is subject to a $10 million deductible and also standard market exclusions.
At this time, it’s unclear how much of the $100 million to $150 million in costs incurred could be claimed back by Capital One under its cyber insurance protection, so it remains uncertain how large this cyber insurance loss could be.
It’s also possible that Capital One may have also underestimated the costs, and if litigation came into play and was covered under the cyber insurance tower, there’s the potential for the Capital One loss to go even higher.
However, researchers have suggested that the Capital One breach might actually be more widespread than initially feared, with Slack messages seen by Forbes implying that the alleged hacker might have also accessed data from a number of other major organisations – while The Department of Justice has reportedly said that the alleged hacker could face additional charges.
Clearly, at this time it remains speculative and it’s unclear if any other companies were hit by the Capital One breach. But if that turns out to be the case, and should impacted organisations also have a cyber insurance tower in place, then this event has the potential to become the largest cyber insurance industry loss on record.
Analysts at Morgan Stanley have commented on the Capital One breach, noting that at $400 million, the size of the firm’s cyber insurance limit suggests that exposure to any one carrier will be limited as programmes of this size are typically spread with numerous carriers.
The analysts said a number of publications have cited AIG as the cyber insurance policy’s lead underwriter. Other players are also expected to have exposure, including AXIS, Berkshire Hathaway, Chubb, CNA, Nationwide, and Sompo International.
With this in mind and in light of the inherent complexity of assessing the impacts of cyber risks and attacks, it could be some time before the insurance and reinsurance market loss from the Capital One breach is fully understood.