Close to one-third of companies already have a cyber insurance policy, based on reports from consulting firms. For example, according to a 2013 Ponemon survey of nearly 19,000 security and risk management professionals, 31 percent say their companies have cyber security insurance policies and 39 percent say they are planning to purchase one. And, the number of cyber insurance policies sold in 2012 increased 33 percent compared to the previous year, and jumped another 20 percent in 2013, says New York-based insurance brokerage firm Marsh LLC.
Why such interest now? Executives are waking up to the notion that even if they are not the next Target (pun intended), the cost of cyber liability coverage is quickly being outpaced by the cost of improvements and, in many cases, legal settlements. According to a 2013 NetDiligence study reviewing only the legal costs associated with 29 separate hacking incidents, defense expenses ran as high as $10 million and settlement costs as high as $20 million (mean costs were $575,000 and $258,000, respectively). An earlier study by the Ponemon Institute found that the average data breach cost $5.4 million in 2012, up 26 percent from the previous year. Add to that, at least two recent court rulings – one in New York and another in Washington state – have also supported the notion that the compromise of personal information stemming from these breaches is not covered under traditional liability insurance policies.
“The whole area of cyber insurance has matured quite a bit in the last three to five years,” says Larry Ponemon, chairman and founder of the Ponemon Institute. “It sounded like a good idea 15 years ago, but [today] you're in a world of hurt if you don't know what your exposure is going to be.”
OUR EXPERTS: Business protection
Stephen Boyer, co-founder and CTO, BitSight
Alex Deshuk, manager of technology and innovation, city of Mesa, Ariz.
Ken Goldstein, VP and global cyber security and media liability manager, Chubb Group of Insurance Companies
Lysa Myers, security researcher, ESET
David Navetta, partner, InfoLawGroup
Larry Ponemon, chairman and founder, Ponemon Institute
More insurance companies are writing these policies too: Cyber insurance has gone from just a niche product offered by a small handful of insurance carriers to a high-profile offering hawked by more than two dozen major insurers, including AIG, Liberty Mutual, Chubb Group and Marsh & McLennan. Chubb's cyber insurance business, started in 2001, has been seeing double-digit growth, according to Ken Goldstein, vice president and global cyber security and media liability manager for the Chubb Group of Insurance Companies. “We continue to see companies of all sizes in a broad array of industries looking to transfer third-party liability and first-party expenses related to cyber risk,” says Goldstein. “This includes, among other things, coverage for unauthorized access to private and proprietary information, crisis management and privacy notification expenses, business interruption and extra expense, contingent business interruption and extra expense, system failure, regulatory defense and fines, penalties and consumer redress and PCI data security assessments.”
Ponemon says that in recent years, underwriters have gotten “really smart about this area,” as there is more activity focused on measuring risk. Likewise, organizations are realizing that their traditional insurance may not do them much good in the case of a major breach. “A lot of organizations to this day believe that their property and casualty insurance covers this, there's still that myth and they have a belief that they are okay or they can self-insure or it won't happen to them,” says Ponemon. “They are in la-la land.”
Stephen Boyer, co-founder and chief technology officer for BitSight, which develops ratings on companies' cyber security performance (akin to FICO credit scores), says that with tools and services like his own, insurers are developing the ability to better gauge the cyber risk of the organizations they underwrite. “The insurance world is not that dynamic and we're seeing a lot of new faces in the last year as [insurers] are seeing the opportunity and the growth in cyber-liability insurance.”