Rise in data breaches drives interest in cyber insurance

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.csoonline.com/article/738140/rise-in-data-breaches-drives-interest-in-cyber-insurance

Companies became much more interested in insurance policies after an
incident affected them, study found

August 15, 2013 — CSO — Growing awareness of cyber threats and
reporting requirements by regulators are driving a newfound interest
in insurance products covering data breaches and other computing
risks.

Almost a third of companies (31 percent) already have cyber insurance
policies, and more than half (57 percent) that don't have policies say
they plan to buy one in the future, a recent study by the Ponemon
Institute and Experian Data Breach Resolution found.

"It's an issue that's much more front and center with senior
executives in companies now," Larry Ponemon, founder and chairman of
the Ponemon Institute, said in an  interview.

"Data security may not be a top five issue with companies, but it's in
the top 10," he added.

Concern over cyber threats is so great that more than three quarters
(76 percent) of the organizations participating in the study who had
experienced a security exploit ranked cyber security risks as high or
higher than other insurable risks, such as natural disasters, business
interruptions, fire and such.

"That's very surprising," Ponemon said. "A lot of folks feel -- maybe
because of all the media coverage or all the war stories we hear about
-- that the whole area of data breach and data loss is an issue that
can have a material impact on the company."

The researchers also found that the average cost of the security
incidents affecting the companies participating in the study to be
$9.3 million. When asked to predict what the average cost would be to
them in the future, respondents estimated $163 million.

Nevertheless, a company's interest in cyber liability insurance
appears to pique only after its data horses have left the barn.
Seventy percent of respondents say their companies became much more
interested in insurance policies after an incident, the study said.

For companies shying away from cyber liability insurance, top reasons
uncovered by the surveyors were expensive premiums (52 percent) and
too many exclusions, restrictions and uninsurable risks (44 percent).

"One of the things that makes people leery about insurance are all the
things that aren't covered in a policy," Ponemon said. "That's true of
all kinds of insurance. We think we're covered, but we're not really
covered so we live in a sort of false paradise."

Before computing was as mission critical as it has become for most
businesses, a company may have been able to persuade an insurer to
cover a loss connected to a cyber incident under the organization's
general liability insurance policy. That's not the case anymore.

"Insurance companies have tightened up their underwriting in casualty
and property policies," Ponemon explained. "We're starting to see data
breaches and security compromises specifically excluded from those
policies."

One reason for excluding those risks is they're hard to quantify.
"While interest continues to grow, the market for cyber insurance is
still immature, because the risks underlying the coverage are
difficult to quantify from an actuarial standpoint,"  John A. Wheeler
and Paul E. Proctor wrote in a Gartner report last year.

"With no standard set of actuarial tables, insurance carriers are
often left to their own underwriting standards and creativity when
offering cyber insurance policies," they wrote. "A lack of actuarial
data also makes cyber insurance less desirable to companies, while
increasing the price."

Insurers, though, have gotten better at quantifying certain kinds of
cyber risks. "Where cyber insurance has gained some traction is in an
area that's more quantifiable -- the data breach area," Andrew
Braunberg, a research director at NSS Labs, said in an interview.

"That's where all the action is today for obvious reasons," he
continued. "There are breach notification laws so businesses can't get
out of doing it, and there's lots of data so the insurance companies
are pretty confident what an incident is going to cost them to insure
it."

It's not so easy, however, to calculate the cost to insure other
risks, such as loss of reputation, intellectual property or network
connectivity. "The actuarial data there is nowhere near as complete or
refined as it is with the simpler breach policies," Braunberg said.

One insurer that has seen a recent bump in interest in its cyber
liability offerings is Hartford Steam Boiler. It launched a data
breach product in 2007 and a cyber threat offering this year. "We've
seen steady interest in the data breach policy over time, but a
renewed surge of interest in it over the last six months or so," Vice
President Timothy Zeilman said in an interview.

"We've seen steady interest in the cyber threat product as well," he added.

That interest is being fueled by increased awareness in the market.
"We're seeing, particularly in the media, coverage of cyber events,
whether it be cyber espionage or high profile data breaches," Zeilman
said.

Data breach laws have also contributed to increased interest in
insurance. "Data breach coverages whole reason for being is the
notification laws that exist in 46 states," Zeilman  observed. "The
purpose of those coverages is to help insureds bear the cost of
complying with state notification laws."

In addition, the U.S. Securities and Exchange Commission (SEC) has
issued guidelines suggesting public companies report cyber incidents
on corporate filings. "It wasn't the watershed event that the
insurance industry thought it would be," Zeilman said. "But it was one
of many things that's led to higher exposure for this kind of
insurance."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.