Cyberinsurance isn't new, but five years into widely available policies, many companies still don't have policies in place.
"As specialist insurance becomes more affordable, I expect the take up to increase," said Oliver Brew, a technology underwriter for London-based Hiscox Plc. insurance provider. "With that, I anticipate claims to increase too, as hackers try to stay ahead of available technology defenses."
That doesn't mean interest isn't there. Because of vaguely worded state and federal regulations and the impossibility of 100% network security, a new type of insurance claim is emerging -- one that protects insured enterprises against privacy-related lawsuits under provisions of the Graham-Leach-Bliley Act, California State Bill 1386 and other regulations.
"We are seeing breach of privacy claims due to unauthorized access to or use of personal identifiable information," said Peter Foster, senior vice president and co-leader of the information risk management practice at Marsh Inc., a leading risk and insurance services firm. "Regulatory requirements to publish the breach incident are triggering multi-party lawsuits that have cost insurers excess of $1 million per incident in some cases."
Cyberinsurance covers a number of other areas often not available in traditional business policies, including denial-of-service attacks, damage cased by hackers, malicious insiders, worms and viruses, and electronic theft of confidential information. More than a few companies are confused by coverage. Ernst & Young, for instance, last year reported in its Global Information Security Survey that one-third of 1,400 respondents mistakenly thought computer security events were covered under conventional business policies.
Denial of service and downstream liability claims are also on the rise.
"We have seen several incidents, where Web site downtime has caused businesses to lose revenue," Brew said. "Denial-of-service attacks have generally been the most common cause."
Foster says that a tangible value can be placed on such a claim. "Denial-of-service attacks are launched off of corporate sites and distributed to customer and partner networks, slowing or shutting down applications. Multiple losses to those networks create and aggregate liability that could reach several million dollars."
Prior to this recent upswing, experts say the most common cyberinsurance claims were for copyright infringement, libel, slander and trademark violations.
Cyberinsurance also results in higher investments in security, decreasing potential risk. And it protects insured companies from millions of dollars in lawsuits. "Security breaches are specifically excluded in many conventional policies," Foster said. "It fills gaps for claims like extortion and business interruption."
Such breaches could be catastrophic for companies more reliant than ever on their electronic data and systems. "The role of cyberinsurance is to provide a safety net behind the security systems in place in the event that they are breached," Brew said.
Just how popular these kinds of policies now are is hard to say. The insurance industry does not handily release figures and none of the insurance experts contacted for this story provided firm numbers behind their claims. But if recent months' activity and media publicity are any indication, there's no doubt inquiries are up and a growing number of enterprises are signing up for cybersecurity coverage.
