To Insure Or Not To Insure: Is Cyber Insurance Worth The Cost?

By Christine Kern, contributing writer

Cyber insurance is becoming more of an issue for businesses, especially those that deal in very valuable consumer information. This type of insurance coverage can provide a safety net for businesses that are targeted by cyberattacks. The problem, however, is that the insurance industry is still not well versed in digital risks and many insurers have had trouble offering adequate protection in this space.

According to Robert Parisi, network security and privacy practice leader for insurance broker Marsh USA, a unit of Marsh & McLennan, that after a 21 percent increase in Marsh's cyber insurance sales in 2013, sales for the first half of 2014 are double what they were for the same time last year.

At an estimated $1 billion to $2 billion, 2013 sales of cyber-insurance were a fraction of the $1.1 trillion in total U.S. insurance premiums last year. But Parisi sees the number growing exponentially in the foreseeable future.

“The growth trajectory, I see no sign of it abating,” Parisi said. “Cyber insurance is underpenetrated in the economy in general and we’re at the long end of the hockey stick heading upward.”

A 2014 study, “Net Losses: Estimating the Global Cost of Cybercrime,” conducted by software security firm McAfee for the Center for Strategic and International Studies, estimated that cybercrime costs the global economy $445 billion a year. The report also forecasts the cost will rise as more consumers and businesses connect to the Internet, creating in turn a larger potential market for cyber-insurance.

“Just about every business today needs cyber-insurance,” according to Bob Hartwig, president of the Insurance Information Institute. “More and more businesses are transacting online and the reality is it’s only going to increase as we move forward.”

In response to highly publicized data breaches, directors and upper-level executives are increasingly focused on boosting companies’ defenses and making sure their firms are ready to act in the event it happens to them. Parisi said that anytime a problem reaches that level of attention, companies are going to act.

While many of the headlines about cybercrime tend to be about attacks at large firms, The Ponemon Institute's “2014 Cost of Data Breach Study: United States” found a company with less than 10,000 records is more likely to be hacked than a firm with more than 100,000 records, in part because smaller firms are less likely to have robust defenses against hackers.

The Ponemon study found the average cost of a data breach to an organization in 2013 rose to $5.9 million from $5.4 million in 2012. The study looked at firms where the information of more than 500 clients had been compromised.

The study found the cost of a breach can be reduced if a firm already had a strong security profile and an incident response plan in place. It also found companies that notify customers too quickly — before doing a thorough assessment or forensic examination — risked increasing their costs.

Many organizations have good security practices in place, but that doesn’t stop events from happening every few years.

“A lot of the information security guys feel that insurance isn’t needed because they’ve got the back of the company; they are doing a good job on security and nothing is going to happen,” says Mark Greisiger, president of Philadelphia-based NetDiligence, a firm that specializes in cyber risk assessment for major insurers, brokers and industries.

“And for many organizations, that's true. The question is not frequency, it is severity. How bad is it going to be and are you able to control it so that it is more of a nuisance than some catastrophe?”