The increasing risk of data breaches and hacks, ranging from the extensive and ongoing Sony Pictures Entertainment incident to less severe but still unsettling potential break-in at Chick-fil-A, is prompting more companies to embrace cybersecurity insurance.
One reason is that the cybersecurity outlook is grim, as experts expect it's only going to get worse before it gets better.
"Exposure, unfortunately, is heightened by our increasing reliance on our wired electronic infrastructure," Chase Cotton, director of the University of Delaware's Center for Information and Communications Sciences, told DelawareOnline
Another reason is that cybercriminals remain one step ahead and are getting more sophisticated all the time, writes Robert Siciliano, CEO of IDTheftSecurity.com, in a column at Business.com.
A third reason is the growing loss companies are dealing with given cyberintrustions. A Forbes report states the median financial institution is already spending as much as $2,500 per employee on cybersecurity. No wonder cybersecurity insurance is already a $2 billion industry.
In 2013, more than 3,000 small to midsized U.S. businesses were hacked, reports a Homeland Security News Wire report, and few had any sort of cybersecurity insurance.
But just a year later, as of 2014, American businesses were expected to pay up to $2 billion on cyberinsurance premiums, a 67 percent spike from $1.2 billion spent in 2013. Current expectations by one industry watcher suggest 100 percent growth in insurance premium activity, possibly 130 percent growth.
"Off the charts," Bob Parisi, the national cyberrisk product leader at insurance firm Marsh, told The Hill in describing policy adoption. "Kind of the hockey stick analogy."
But grabbing an insurance policy, warn experts, is just one piece of the strategy to gain better protection against hackers and cyberthreats. And in choosing a policy, companies need to do their homework regarding what is covered, the liability not covered, and why general liability coverage no longer does the job.
"As a general rule, companies should look to purchase specific cyberliability coverage," Brian Himmel, a partner at Reed Smith, an insurance recovery group, told Tech Times. "Such coverage may be provided in several forms: as a stand-alone policy, as an endorsement to other forms of coverage, or as a module (component) of a multirisk policy."
When choosing a cyberinsurance provider and policy, there are a number of things to consider. For example, a good approach is a policy that covers both network security and data breaches.
"Coverage should extend to cover forensics, notification costs, credit monitoring, legal services, public relations, cyberextortion, and suits from third parties, as well as regulatory fines and penalties in defense that may arise from such data breaches," Harris Tsangaris, senior VP at NFP's property and casualty division, told Tech Times. "If you're a retailer accepting credit cards, coverage should extend to cover PCI (payment card industry) fines and penalties."
While online insurance is viewed as a good move by many, as with any form of insurance, companies must ensure online assets are well-protected whether or not a policy is in place. As one expert related, it's akin to the scenario with health insurance. Having health insurance is not an excuse to be careless with one's health, it's a backup in case of an emergency or in case someone gets sick.
As Tech Times has reported, there are a number of best practices and steps companies need to implement to ensure good cybersecurity mechanisms are in place.
"Both online security and insurance are critical components to effective risk management for businesses," says Himmel. "As such, a business should not consider these components as part of an "either/or" equation, but rather must determine the best way to allocate resources between the two."