Cyber Insurance: The Next Big Thing for Businesses

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.entrepreneur.com/article/235355

Earlier this year, New York City-based staffing agency Clarity bought cyber
insurance for the first time. This spring it added more coverage.

"We were actually hearing about it from our clients," said Elizabeth Wade,
Clarity's operations manager. "They were asking us about it and in order to
prevent being behind the eight ball we felt like we really wanted to be
proactive and get the insurance 'cause we knew it was something that was
important to our clients, and then it was important to us as well."

With a staff of 30, Clarity was looking to protect the information it takes
from the clients it places, like their Social Security numbers and dates of
birth. The initial coverage it bought from insurer CNA covered any legal
costs and the costs of lost business that would come with a breach. This
spring it added coverage for credit monitoring if its client data are
hacked.

Clarity is one of a growing number of small businesses buying cyber
insurance, and one of the reasons sales of this product are skyrocketing.

Robert Parisi, network security and privacy practice leader for insurance
broker Marsh USA, a unit of Marsh & McLennan, told CNBC that on the heels
of a 21 percent increase in Marsh's cyber insurance sales in 2013, sales
for the first half of 2014 are double what they were for the same time last
year.

"The number of (data) breaches in 2013 certainly was the last straw in the
camel's back," Parisi said, referring to well-publicized breaches like the
one involving more than 110 million Target clients last winter. "A lot of
people who were sitting on the sidelines. it got them buying."

At an estimated $1 billion to $2 billion, 2013 sales of cyber insurance
were a fraction of the $1.1 trillion in total U.S. insurance premiums last
year. But Parisi sees the number growing exponentially in the foreseeable
future.

"The growth trajectory, I see no sign of it abating," Parisi said. "Cyber
insurance is underpenetrated in the economy in general and we're at the
long end of the hockey stick heading upward."

A 2014 study, "Net Losses: Estimating the Global Cost of Cybercrime,"
conducted by software security firm McAfee for the Center for Strategic and
International Studies, estimated that cybercrime costs the global economy
$445 billion a year. The report also forecast the cost will rise as more
consumers and businesses connect to the Internet, creating in turn a larger
potential market for cyber insurance.

"Just about every business today needs cyber insurance," said Bob Hartwig,
president of the Insurance Information Institute. "More and more businesses
are transacting online and the reality is it's only going to increase as we
move forward."

Introduced more than a decade ago, cyber insurance's growth has been
spurred not only by an increase in cybercrime, but also by new regulations.

Most states now require companies to notify customers if there is a data
breach. Cybercrime is also a growing concern in the boardrooms of publicly
traded companies.

In response to public data breaches like those at Facebook in 2013 and the
restaurant chain P.F. Chang's in 2014, directors and upper-level executives
are increasingly focused on boosting companies' defenses and making sure
their firms are ready to act in the event it happens to them. Parisi said
that anytime a problem reaches that level of attention, companies are going
to act.

President Barack Obama also shone a spotlight on the problem.

In 2013 he highlighted cybercrime as a serious threat to the economy, and
issued an executive order that resulted in the Cybersecurity Framework.
Developed by private companies and the National Institute of Standards and
Technology, the framework gives companies a guideline on how to respond and
handle cybercrimes.

In the U.S., the recent growth in cyber-insurance premiums has been fueled
by two sets of customers: new clients and existing clients who are buying
additional coverage

"The trend early on was tech, financial and health-care companies buying
insurance. That still continues" said Tim Francis, who heads insurer
Travelers' cyber division. "In the last couple of years you've seen more
retail and manufacturing firms buying insurance and now you are seeing
small- and middle-market firms buying too."

While many of the headlines about cybercrime tend to be about attacks at
large firms, The Ponemon Institute's "2014 Cost of Data Breach Study:
United States" found a company with less than 10,000 records is more likely
to be hacked than a firm with more than 100,000 records, in part because
smaller firms are less likely to have robust defenses against hackers, who
Marsh's Parisi said are not discriminating in what they attack.

"Hackers and cybercriminals are very opportunistic," Parisi said. "If they
can get 100 records or credit cards from the local dry cleaners they'll do
it."

Cyber insurance policies will depend on a company's size and the industry
in which it operates, how much data it has and what a company already does
to secure it.

Among the expenses a policy might cover: the cost of conducting an
investigation into a breach, notifying customers, reputational and crisis
management, lost business and the cost of credit monitoring.

Like the policies, the price of the coverage varies, too, though Francis
said prices are coming down as more insurers enter a market served by the
likes of Travelers, AIG, Chubb, ACE Limited and CNA. The increased
competition is making cyber insurance more affordable for many smaller
firms, which can buy policies tailored to their risk profile, which is
increasingly important for small- to mid-sized firms.

Not having cyber insurance could prove costly for businesses.

The Ponemon study found the average cost of a data breach to an
organization in 2013 rose to $5.9 million from $5.4 million in 2012. The
study looked at firms where the information of more than 500 clients had
been compromised.

Behind the rising cost, there was an increase in the number of customers
the firms surveyed lost after a breach. It's no surprise then, that lost
business accounts for highest portion of the costs linked to a data breach,
coming in at 38 percent, followed by legal services at 16 percent and
investigations and forensics at 13 percent.

The study found the cost of a breach can be reduced if a firm already had a
strong security profile and an incident response plan in place. It also
found companies that notify customers too quickly—before doing a thorough
assessment or forensic examination—risked increasing their costs.

For Clarity, the risk of not having cyber insurance outweighed the cost,
which Wade said was "a couple of thousands of dollars" or roughly 5 percent
of its total insurance costs.

"It's never one of those things you want to find out if it's worth having
or not," Wade said. "But it certainly helps us to rest easy at night and
focus on our business, knowing that we have it."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!