Growing awareness of cyber threats and reporting requirements by regulators are driving a newfound interest in insurance products covering data breaches and other computing risks.
Almost a third of companies (31 percent) already have cyber insurance policies, and more than half (57 percent) that don't have policies say they plan to buy one in the future, a recent study by the Ponemon Institute and Experian Data Breach Resolution found.
"It's an issue that's much more front and center with senior executives in companies now," Larry Ponemon, founder and chairman of the Ponemon Institute, said in an interview.
"Data security may not be a top five issue with companies, but it's in the top 10," he added.
Concern over cyber threats is so great that more than three quarters (76 percent) of the organizations participating in the study who had experienced a security exploit ranked cyber security risks as high or higher than other insurable risks, such as natural disasters, business interruptions, fire and such.
"That's very surprising," Ponemon said. "A lot of folks feel -- maybe because of all the media coverage or all the war stories we hear about -- that the whole area of data breach and data loss is an issue that can have a material impact on the company."
The researchers also found that the average cost of the security incidents affecting the companies participating in the study to be $9.3 million. When asked to predict what the average cost would be to them in the future, respondents estimated $163 million.
Nevertheless, a company's interest in cyber liability insurance appears to pique only after its data horses have left the barn. Seventy percent of respondents say their companies became much more interested in insurance policies after an incident, the study said.
For companies shying away from cyber liability insurance, top reasons uncovered by the surveyors were expensive premiums (52 percent) and too many exclusions, restrictions and uninsurable risks (44 percent).
"One of the things that makes people leery about insurance are all the things that aren't covered in a policy," Ponemon said. "That's true of all kinds of insurance. We think we're covered, but we're not really covered so we live in a sort of false paradise."
Before computing was as mission critical as it has become for most businesses, a company may have been able to persuade an insurer to cover a loss connected to a cyber incident under the organization's general liability insurance policy. That's not the case anymore.
"Insurance companies have tightened up their underwriting in casualty and property policies," Ponemon explained. "We're starting to see data breaches and security compromises specifically excluded from those policies."
One reason for excluding those risks is they're hard to quantify. "While interest continues to grow, the market for cyber insurance is still immature, because the risks underlying the coverage are difficult to quantify from an actuarial standpoint," John A. Wheeler and Paul E. Proctor wrote in a Gartner report last year.
"With no standard set of actuarial tables, insurance carriers are often left to their own underwriting standards and creativity when offering cyber insurance policies," they wrote. "A lack of actuarial data also makes cyber insurance less desirable to companies, while increasing the price."
Insurers, though, have gotten better at quantifying certain kinds of cyber risks. "Where cyber insurance has gained some traction is in an area that's more quantifiable -- the data breach area," Andrew Braunberg, a research director at NSS Labs, said in an interview.
"That's where all the action is today for obvious reasons," he continued. "There are breach notification laws so businesses can't get out of doing it, and there's lots of data so the insurance companies are pretty confident what an incident is going to cost them to insure it."
It's not so easy, however, to calculate the cost to insure other risks, such as loss of reputation, intellectual property or network connectivity. "The actuarial data there is nowhere near as complete or refined as it is with the simpler breach policies," Braunberg said.
One insurer that has seen a recent bump in interest in its cyber liability offerings is Hartford Steam Boiler. It launched a data breach product in 2007 and a cyber threat offering this year. "We've seen steady interest in the data breach policy over time, but a renewed surge of interest in it over the last six months or so," Vice President Timothy Zeilman said in an interview.
"We've seen steady interest in the cyber threat product as well," he added.
That interest is being fueled by increased awareness in the market. "We're seeing, particularly in the media, coverage of cyber events, whether it be cyber espionage or high profile data breaches," Zeilman said.
Data breach laws have also contributed to increased interest in insurance. "Data breach coverages whole reason for being is the notification laws that exist in 46 states," Zeilman observed. "The purpose of those coverages is to help insureds bear the cost of complying with state notification laws."
In addition, the U.S. Securities and Exchange Commission (SEC) has issued guidelines suggesting public companies report cyber incidents on corporate filings. "It wasn't the watershed event that the insurance industry thought it would be," Zeilman said. "But it was one of many things that's led to higher exposure for this kind of insurance."
Read more about data protection in CSOonline's Data Protection section.