Companies can mitigate losses from cyberattacks and other data breaches by purchasing cyber insurance, but they should evaluate policies carefully.
For many organizations, it’s not a question of whether they will face a data breach incident but when. This risk, say some experts, is a main reason why organizations of all sizes have been turning to insurance policies that cover data losses from cyberattacks and other incidents.
While not new, cyber insurance has been growing in popularity at an unprecedented rate. Forrester Research predicts year-over-year sales growth of about 20 percent for the next couple years. Reasons for this growth—aside from the high frequency and exorbitant costs of many breaches—include the maturation of and multiplication of available policies.
Policies can be a sound investment if purchased from reputable carriers, but companies should be sure to look for comprehensive policies covering factors such as third-party risk and for other features that can align with the company’s specific risks, say experts.
One new trend is the popularity of products among mid and small-size organizations, says Rick Betterley, president of Betterley Risk Consultants, which has published an annual report on cyber insurance for more than a decade.
Many organizations, after a data loss incident, have been glad they had insurance, says Paul Paray, counsel at the law firm Wilson Elser and a specialist in risk management and insurance. Other firms have purchased policies after an incident.
From an insurer’s perspective, one potential downside to the insurance is that there is relatively little historical data to evaluate data-loss risks, according to a recent Forrester report. “[I]nsurance companies will compensate…by charging you a higher premium,” it states.
Some security professionals wonder whether carriers will be able to afford promised payouts after an incident. “My concern is whether insurance companies will be able to keep up with hackers,” says Betterley.
(To continue reading "Breach Insurance Gains Steam," from the September 2011 issue of Security Management, please click here )
photo by David Hilowitz/flickr