The string of data breaches at Target, Home Depot, JPMorgan Chase, and so many other major brands has reinvigorated the cyberinsurance industry.
Cyberinsurance, which originally was rolled into other insurance policies or even considered unnecessary and ineffective, is enjoying a resurgence of late. Policy purchases have more than doubled in the past year, according to new data from The Ponemon Institute: 10% of companies held cyberinsurance policies in 2013, but 26% do in 2014. That's still a relatively low percentage, but insurers say cyberinsurance indeed is on the rise.
Kirstin Simonson, underwriting director for Travelers Global Technology, says US premiums today are estimated at around $1 billion, and it won't be long before they reach $2 billion.
A handful of carriers offered cyberinsurance coverage in the early days -- the late 1990s -- and the focus was more on privacy and trademark infringement. "There are now over 50 to 60 insurers" offering cyberinsurance coverage, Simonson says, including Travelers.
The surge, not surprisingly, is mostly due to data breach concerns. And cyberinsurance experts say demand is growing rapidly as companies watch victim organizations like Target and Home Depot try to dig out from under their data breach costs and fallout. Target, which reported $61 million of expenses related to the breach, had about $40 million in cyberinsurance, though security analysts estimated its overall breach costs could reach $500 million when all is said and done.
"It is not an overstatement to say that there is a 'pre-Target' and 'post-Target' state of the cybermarket for major retailers from both the underwriting and the client side," Emily Freeman, risk management cyber and professional liability specialist for the global technology and privacy practice at Lockton Companies, said in a recent report.
Simonson says concerns over data breaches are driving cyber insurance. "Most people are talking around the breach component of it. They may also be driven by regulatory compliance concerns."
However, cyber espionage attacks remain a bit fuzzy for insurers, she says. "Cost to cover intellectual property [cyberattacks] are not a widely insurable thing yet."
The cost of forensics, downtime, breach notification, credit monitoring services for customers, legal fees, and crisis management teams all factor into the insurance equation today. "They have to protect their brand reputation," and retailers look for insurers to help support that.
There are even tools now designed specifically for cyberinsurance underwriters to vet their prospective clients. This week, BitSight rolled out a security ratings service specifically for cyber insurers based on its Security Ratings Platform, which analyzes publicly available data from its global sensors that track security events and malware behavior daily for organizations, specifically looking for botnet communication, malware distribution, and email server configuration. The scoring model is akin to consumer credit ratings.
"There's not been to date a quantifiable, objective metric" for the cyber insurers, says Ira Scharf, chief strategy officer at BitSight. "We've developed a product specifically for cyber insurers… The rating technology is the same, but built on top of it is a series of analytics and specific dashboards and organizational tools that fit right into the workflow of a cyberinsurance underwriter."
The service alerts an insurer to breaches at a retailer, for instance, and how that retailer compares with other retailers security-wise. "The underwriter now has a window into the risk… If a company gets breached, how many days did it take for them to mitigate the problem? That's a real good indicator of the sophistication of a company's security procedures."
"It's the fastest-growing segment of the insurance industry," Scharf says. "Carriers are looking to develop standalone cyber products, and companies are looking for more coverage."