As awareness of the long-lasting consequences of data breaches grows, alongside the apparent inevitability of such events, more companies are seeking cybersecurity insurance, known also as corporate insurance. To learn more about what cybersecurity insurance can and can’t do to mitigate the damages to a breached organization, and what modifications to these products we can expect to see in the short term and long term, I spoke with MetricStream VP of GRC Solutions Yo Delmar.
First, a little history. And there actually is history here, which might surprise those new to the cybersecurity insurance concept. This type of insurance coverage has existed since the 1990s, explains Delmar. Only a few insurance companies provided it at first, but it has experienced rapid growth, and is now actually the fastest growing niche in the insurance industry. Thirty major carriers now offer a cybersecurity product.
“Cyber insurance, or network risk insurance, as it’s sometimes called, really took off about two years ago, when it became apparent that the cost of breaches was increasing. The growth rate is between 20 and 30 percent, depending on who you’re talking to; Marsh and McLennan says 21 percent and AIG says 30 percent. It’s at $1.3 billion for 2014, up from $1 billion in 2012, and Marsh and McLennan’s expectation is $2 billion in 2015.”
Another key event in the growth of cybersecurity insurance products, says Delmar, was the 2011 case in which a New York court ruled in favor of an insurer’s refusal to pay for data breach damages following a major breach of Sony’s gaming consoles. The insurer argued that Sony’s general liability policy didn’t cover the damages, and awareness of the need for a set of policies specifically for network security exploded.
More recently, says Delmar, guidance from the Department of Homeland Security on cyber insurance has gotten the message out to more businesses that a data breach equals business interruption and network damage. The direct result is key to both the growth and the efficacy of these insurance products:
“More insurance is taken out, and it is more clearly around preventative measures. The best practices that are put in place at the same time create better outcomes. They lower premiums, and will cause businesses to change behaviors.”
Who Is Insured
As far as who is taking out policies and what they’re paying, Delmar says companies of all sizes purchase cybersecurity insurance, but of the premiums paid last year, the bulk were from small and midsize businesses. Expect more large companies, she advises, to do so in the near future, especially after the Target breach:
“The maximum coverage is $300 million, which is much lower than that available for property insurance (that’s often in the billions). Target had $100 million in coverage and probably saw $3 billion in cost. But there’s murkiness here, a lack of data for the actuarials. As we get more historical data, more research models will be better clarified, and insurance will expand, not only in monetary value, but in inclusion of physical property coverage in extended policies, as well.”
Part of the reason that there isn’t a lot of historical data – and what is there isn’t relevant – is because the threat continues evolving, says Delmar.
“But the board-level awareness of breaches and their costs is a security professional’s dream, because they need the business involved. This type of insurance offering gets eyes on the problem. As the damage and harm increase, and companies are brought to their knees, we’ll be seeing more thought around this in order to predict risk. It’s a complex puzzle, but we have to solve it.”