Rise in data breaches drives interest in cyber insurance

Growing awareness of cyber threats and reporting requirements by regulators are driving a newfound interest in insurance products covering data breaches and other computing risks.

Almost a third of companies (31 percent) already have cyber insurance policies, and more than half (57 percent) that don't have policies say they plan to buy one in the future, a recent study by the Ponemon Institute and Experian Data Breach Resolution found.

"It's an issue that's much more front and center with senior executives in companies now," Larry Ponemon, founder and chairman of the Ponemon Institute, said in an interview.

"Data security may not be a top five issue with companies, but it's in the top 10," he added.

Concern over cyber threats is so great that more than three quarters (76 percent) of the organizations participating in the study who had experienced a security exploit ranked cyber security risks as high or higher than other insurable risks, such as natural disasters, business interruptions, fire and such.

"That's very surprising," Ponemon said. "A lot of folks feel -- maybe because of all the media coverage or all the war stories we hear about -- that the whole area of data breach and data loss is an issue that can have a material impact on the company."

The researchers also found that the average cost of the security incidents affecting the companies participating in the study to be $9.3 million. When asked to predict what the average cost would be to them in the future, respondents estimated $163 million.

Nevertheless, a company's interest in cyber liability insurance appears to pique only after its data horses have left the barn. Seventy percent of respondents say their companies became much more interested in insurance policies after an incident, the study said.

For companies shying away from cyber liability insurance, top reasons uncovered by the surveyors were expensive premiums (52 percent) and too many exclusions, restrictions and uninsurable risks (44 percent).

"One of the things that makes people leery about insurance are all the things that aren't covered in a policy," Ponemon said. "That's true of all kinds of insurance. We think we're covered, but we're not really covered so we live in a sort of false paradise."

Before computing was as mission critical as it has become for most businesses, a company may have been able to persuade an insurer to cover a loss connected to a cyber incident under the organization's general liability insurance policy. That's not the case anymore.

"Insurance companies have tightened up their underwriting in casualty and property policies," Ponemon explained. "We're starting to see data breaches and security compromises specifically excluded from those policies."

[Also see: The 15 worst data security breaches of the 21st Century]

One reason for excluding those risks is they're hard to quantify. "While interest continues to grow, the market for cyber insurance is still immature, because the risks underlying the coverage are difficult to quantify from an actuarial standpoint," John A. Wheeler and Paul E. Proctor wrote in a Gartner report last year.

"With no standard set of actuarial tables, insurance carriers are often left to their own underwriting standards and creativity when offering cyber insurance policies," they wrote. "A lack of actuarial data also makes cyber insurance less desirable to companies, while increasing the price."

Insurers, though, have gotten better at quantifying certain kinds of cyber risks. "Where cyber insurance has gained some traction is in an area that's more quantifiable -- the data breach area," Andrew Braunberg, a research director at NSS Labs, said in an interview.

"That's where all the action is today for obvious reasons," he continued. "There are breach notification laws so businesses can't get out of doing it, and there's lots of data so the insurance companies are pretty confident what an incident is going to cost them to insure it."

It's not so easy, however, to calculate the cost to insure other risks, such as loss of reputation, intellectual property or network connectivity. "The actuarial data there is nowhere near as complete or refined as it is with the simpler breach policies," Braunberg said.

One insurer that has seen a recent bump in interest in its cyber liability offerings is Hartford Steam Boiler. It launched a data breach product in 2007 and a cyber threat offering this year. "We've seen steady interest in the data breach policy over time, but a renewed surge of interest in it over the last six months or so," Vice President Timothy Zeilman said in an interview.

"We've seen steady interest in the cyber threat product as well," he added.

That interest is being fueled by increased awareness in the market. "We're seeing, particularly in the media, coverage of cyber events, whether it be cyber espionage or high profile data breaches," Zeilman said.

Data breach laws have also contributed to increased interest in insurance. "Data breach coverages whole reason for being is the notification laws that exist in 46 states," Zeilman observed. "The purpose of those coverages is to help insureds bear the cost of complying with state notification laws."

In addition, the U.S. Securities and Exchange Commission (SEC) has issued guidelines suggesting public companies report cyber incidents on corporate filings. "It wasn't the watershed event that the insurance industry thought it would be," Zeilman said. "But it was one of many things that's led to higher exposure for this kind of insurance."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags liabilityinsurancedata breachesapplicationssoftwaredata protection

More about Andrew Corporation (Australia)GartnerSECSecurities and Exchange Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place