Preparing for the inevitable: Cyber risk insurance

Share this article:
Angela Moscaritolo, senior reporter, SC Magazine
Angela Moscaritolo, senior reporter, SC Magazine

A dizzying string of high-profile data breaches this year, coupled with the staggering cost resulting from such exposures, have ratcheted up demand for cyber risk insurance.

This year, businesses are expected to take out about $800 million in policies, according to estimates from consulting firm Betterley Risk Consultants. The insurance industry currently offers “first-party” policies, which cover the damage or theft of an organization's assets, and “third-party” policies, whichcover losses directly related to the breach, including customer attrition and victim notification.

Most of the interest now is around third-party policies for organizations that want to transfer risk, said Larry Clinton, president of the Internet Security Alliance.

$800,000,000
Estimated volume of cyber insurance premiums purchased in 2011.

– Source: Betterley Risk Consultants

Driving the uptick in demand is the rising cost of breaches and the realization that no organization is immune, Clinton said. Breaches cost organizations an average of $7.2 million in 2010, up from $6.8 million the previous year, according to a recent study by Symantec and the Ponemon Institute.

By purchasing third-party cybersecurity insurance, organizations take an unknown – the eventual cost of the breach – and turn it into a known by paying a premium and deductible, said Rick Betterley, president of Betterley Risk Consultants. “Instead of having a several million dollar loss, you pay a $100,000 premium,” he said.

The cyber insurance application process is often lengthy and requires a fair amount of work. But on the positive side, it can sometimes uncover weaknesses in an organization's security posture not obvious before, Betterley said. Third-party insurance also provides, to some extent, a roadmap for responding to a breach, he added.

Such policies are highly attractive to midsize firms in particular, Betterley said. A recent study conducted by his company of middle-market organizations indicated that 25 percent of respondents planned to purchase cyber insurance in the next 18 months.

An insurance policy for cyber risks is not for everyone, though. Some small firms might find their level of risk does not justify the cost, Betterley said. Too, very large firms that are routinely breached may discover that cyber insurance premiums exceed the benefits they offer.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Research

Sign up to our newsletters

POLL

More in Research

2014 audit and compliance ebook

2014 audit and compliance ebook

We explore the landscape today with which security teams must contend and compile a number of best practices and strategies you can apply to protect your company.

2014 eBook on Encryption

2014 eBook on Encryption

The experts we spoke to for this new ebook agree that when deciding what data must be encrypted, it's a question of classifying it by level of importance.

PCI 2014: From compliance to security

PCI 2014: From compliance to security

The consensus from our panel of experts is that PCI DSS should be just one item on a far broader effort to integrate data security into enterprise risk management.