LAS VEGAS—As security threats and breaches continue to mount, there is a growing need and demand for insurance services to help mitigate risk, which is why the cyber-insurance business is now growing. In a session at the Interop conference here, David Bradford, co-founder of Advisen, detailed the current state of the cyber-insurance market. According to Advisen's analysis, the cyber-insurance business in 2015 generated $2.5 billion in premiums.
In contrast to other areas of the insurance industry, cyber is still relatively small, with commercial auto insurance generating $25.8 billion in premiums and worker compensation coming in at $55 billion. The cyber-insurance market, however, is growing and by 2020, Advisen is forecasting that the market will generate $5.0 billion in premiums. Other insurance vendors are even more optimistic, with PWC forecasting $7.5 billion and ABI predicting $10 billion in premiums in 2020.
Bradford stated emphatically that cyber-insurance really does work, but today it is a complicated product with policies and premiums that can vary broadly across different insurers. In general terms, cyber-insurance can include coverage for data breach costs, account takeovers, distributed denial-of-service (DDoS) attacks and even regulatory actions for privacy-related infractions.
In terms of the insurance provider landscape, Bradford said that there are approximately 60 companies that write cyber insurance policies today and, in his view, many are just making it up as they go along, with little continuity of policies across different underwriters.
Bradford noted that there can also be some limited protection in general corporate insurance for cyber-security risks, but the trend he's seeing is that insurers are excluding cyber from general insurance policies.
Common items that are covered in cyber-insurance policies are post-breach services that help organizations to deal with the consequences of a security incident. Many policies will also pay for liability and legal defense costs related to a security incident. As such, if an organization is sued due to a breach, the insurer will help pay for the defense, and if the organization has to pay a settlement, the insurer will cover that too. Cyber-insurance policies can also cover legal fines and penalties and include business interruption coverage.
Items that aren't typically covered in a cyber-insurance policy include reputation damage, which Bradford said is very difficult to determine. In addition, most cyber-insurance policies will not cover cyber-related bodily injuries or property damage. Another item that is typically not covered is the cost or value of stolen intellectual property.
For companies with less than $500 million in revenue, policies with limits of between $1 million and $5 million cost between $2,000 and $5,000. For companies with more than $500 million in revenue, for a policy with limits of $5 million to $20 million, Bradford said, premiums will range from $100,000 to $500,000.
In the past, Bradford said, many IT people weren't all that enthusiastic about buying cyber-insurance, as it could somehow imply a loss of confidence in the IT organization. That said, that attitude is now changing and many IT professional now appreciate the value of cyber-insurance.
"When it comes down to it, cyber-insurance is not a substitute for information security," Bradford said. "But it can be a backstop for when things go wrong."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.