A dizzying string of high-profile data breaches this year, coupled with the staggering cost resulting from such exposures, have ratcheted up demand for cyber risk insurance.
This year, businesses are expected to take out about $800 million in policies, according to estimates from consulting firm Betterley Risk Consultants. The insurance industry currently offers “first-party” policies, which cover the damage or theft of an organization's assets, and “third-party” policies, whichcover losses directly related to the breach, including customer attrition and victim notification.
Most of the interest now is around third-party policies for organizations that want to transfer risk, said Larry Clinton, president of the Internet Security Alliance.
– Source: Betterley Risk Consultants
Driving the uptick in demand is the rising cost of breaches and the realization that no organization is immune, Clinton said. Breaches cost organizations an average of $7.2 million in 2010, up from $6.8 million the previous year, according to a recent study by Symantec and the Ponemon Institute.
By purchasing third-party cybersecurity insurance, organizations take an unknown – the eventual cost of the breach – and turn it into a known by paying a premium and deductible, said Rick Betterley, president of Betterley Risk Consultants. “Instead of having a several million dollar loss, you pay a $100,000 premium,” he said.
The cyber insurance application process is often lengthy and requires a fair amount of work. But on the positive side, it can sometimes uncover weaknesses in an organization's security posture not obvious before, Betterley said. Third-party insurance also provides, to some extent, a roadmap for responding to a breach, he added.
Such policies are highly attractive to midsize firms in particular, Betterley said. A recent study conducted by his company of middle-market organizations indicated that 25 percent of respondents planned to purchase cyber insurance in the next 18 months.
An insurance policy for cyber risks is not for everyone, though. Some small firms might find their level of risk does not justify the cost, Betterley said. Too, very large firms that are routinely breached may discover that cyber insurance premiums exceed the benefits they offer.