Why cyber-insurance will be the next big thing by Mary Thomson

02/07/2014 22:53

Earlier this year, New York City-based staffing agency Clarity bought cyber-insurance for the first time. This spring it added more coverage.

"We were actually hearing about it from our clients," said Elizabeth Wade, Clarity's operations manager. "They were asking us about it and in order to prevent being behind the eight ball we felt like we really wanted to be proactive and get the insurance 'cause we knew it was something that was important to our clients, and then it was important to us as well."

With a staff of 30, Clarity was looking to protect the information it takes from the clients it places, like their Social Security numbers and dates of birth. The initial coverage it bought from insurer CNA covered any legal costs and the costs of lost business that would come with a breach. This spring it added coverage for credit monitoring if its client data are hacked.

Clarity is one of a growing number of small businesses buying cyber-insurance, and one of the reasons sales of this product are skyrocketing.

Read More Astros furious after hacking

Robert Parisi, network security and privacy practice leader for insurance broker Marsh USA, a unit of Marsh & McLennan, told CNBC that on the heels of a 21 percent increase in Marsh's cyber-insurance sales in 2013, sales for the first half of 2014 are double what they were for the same time last year. 

"The number of (data) breaches in 2013 certainly was the last straw in the camel's back," Parisi said, referring to well-publicized breaches like the one involving more than 110 million Target clients last winter. "A lot of people who were sitting on the sidelines. it got them buying."

At an estimated $1 billion to $2 billion, 2013 sales of cyber-insurance were a fraction of the $1.1 trillion in total U.S. insurance premiums last year. But Parisi sees the number growing exponentially in the foreseeable future. 

"The growth trajectory, I see no sign of it abating," Parisi said. "Cyber-insurance is underpenetrated in the economy in general and we're at the long end of the hockey stick heading upward."

A 2014 study, "Net Losses: Estimating the Global Cost of Cybercrime," conducted by software security firm McAfee for the Center for Strategic and International Studies, estimated that cybercrime costs the global economy $445 billion a year. The report also forecast the cost will rise as more consumers and businesses connect to the Internet, creating in turn a larger potential market for cyber-insurance.

Read MoreRussia linked to energy cyberattack

"Just about every business today needs cyber-insurance," said Bob Hartwig, president of the Insurance Information Institute. "More and more businesses are transacting online and the reality is it's only going to increase as we move forward."

Introduced more than a decade ago, cyber-insurance's growth has been spurred not only by an increase in cybercrime, but also by new regulations.

Most states now require companies to notify customers if there is a data breach. Cybercrime is also a growing concern in the boardrooms of publicly traded companies.

In response to public data breaches like those at Facebook in 2013 and the restaurant chain P.F. Chang's in 2014, directors and upper-level executives are increasingly focused on boosting companies' defenses and making sure their firms are ready to act in the event it happens to them. Parisi said that anytime a problem reaches that level of attention, companies are going to act. 

Read More Facebook fights NYC on shielding customer data

President Barack Obama also shone a spotlight on the problem.

In 2013 he highlighted cybercrime as a serious threat to the economy, and issued an executive order that resulted in the Cybersecurity Framework. Developed by private companies and the National Institute of Standards and Technology, the framework gives companies a guideline on how to respond and handle cybercrimes.

In the U.S., the recent growth in cyber-insurance premiums has been fueled by two sets of customers: new clients and existing clients who are buying additional coverage

"The trend early on was tech, financial and health-care companies buying insurance. That still continues" said Tim Francis, who heads insurer Travelers' cyber division. "In the last couple of years you've seen more retail and manufacturing firms buying insurance and now you are seeing small- and middle-market firms buying too."

While many of the headlines about cybercrime tend to be about attacks at large firms, The Ponemon Institute's "2014 Cost of Data Breach Study: United States" found a company with less than 10,000 records is more likely to be hacked than a firm with more than 100,000 records, in part because smaller firms are less likely to have robust defenses against hackers, who Marsh's Parisi said are not discriminating in what they attack. 

"Hackers and cybercriminals are very opportunistic," Parisi said. "If they can get 100 records or credit cards from the local dry cleaners they'll do it."

Read More  Cybersecurity firm says large hedge fund attacked

Cyber-insurance policies will depend on a company's size and the industry in which it operates, how much data it has and what a company already does to secure it.

Among the expenses a policy might cover: the cost of conducting an investigation into a breach, notifying customers, reputational and crisis management, lost business and the cost of credit monitoring. 

Like the policies, the price of the coverage varies, too, though Francis said prices are coming down as more insurers enter a market served by the likes of Travelers, AIGChubbACE Limited and CNA. The increased competition is making cyber-insurance more affordable for many smaller firms, which can buy policies tailored to their risk profile, which is increasingly important for small- to mid-sized firms.

Not having cyber-insurance could prove costly for businesses.

The Ponemon study found the average cost of a data breach to an organization in 2013 rose to $5.9 million from $5.4 million in 2012. The study looked at firms where the information of more than 500 clients had been compromised.

Behind the rising cost, there was an increase in the number of customers the firms surveyed lost after a breach. It's no surprise then, that lost business accounts for highest portion of the costs linked to a data breach, coming in at 38 percent, followed by legal services at 16 percent and investigations and forensics at 13 percent.

The study found the cost of a breach can be reduced if a firm already had a strong security profile and an incident response plan in place. It also found companies that notify customers too quickly—before doing a thorough assessment or forensic examination—risked increasing their costs.

For Clarity, the risk of not having cyber-insurance outweighed the cost, which Wade said was "a couple of thousands of dollars" or roughly 5 percent of its total insurance costs. 

"It's never one of those things you want to find out if it's worth having or not," Wade said. "But it certainly helps us to rest easy at night and focus on our business, knowing that we have it."

—By CNBC's Mary Thompson.