No matter the size of your organization, the odds of your operations getting profoundly disrupted by a cyber attack are high. Security technology and smart workplace policies certainly can help reduce cyber exposures. But even for businesses doing everything right, that may not be enough.
Enter cyber insurance. Demand for cyber liability policies is rapidly heating up. It is very early in the ballgame, and how it all plays out remains to be seen. But cyber insurance is on track to soon become a routine cost-of-doing-business. Here are five interconnected developments that explain why that's so:
Cyber badness keeps scaling
A king's ransom is being spent on defending business networks. Various studies show spending on cybersecurity technologies growing at a compounded annual growth rate (CAGR) of between 5 percent to 10 percent . Spending on security hardware, software and services should top $101 billion by 2018, according to Gartner, and hit $170 billion by 2020, according to MarketsandMarkets.
Yet cyber attacks continue to present a material exposure far from adequately addressed at all too many organizations. A report from British consultancy Juniper Research predicts damages attributed to network breaches will rise to $2.5 trillion by 2020 (that's trillion with a 'T!') up from roughly $600 billion this year.
Cyber insurance begets a virtuous cycle
Some companies are now eager to offset at least part of their cyber exposure via an insurance policy. At the same time, more insurance carriers are taking steps to meet this pent up demand. This sets up a possible virtuous cycle: the insurance industry gets richer, as businesses get better protected.
At least 60 insurance companies today offer standalone cyber liability policies, says the Insurance Information Institute. And more than 500 insurers provide some form of cyber risk coverage, according to the National Association of Insurance Commissioners.
PricewaterhouseCoopers predicts the cyber insurance market will maintain a robust 20 percent CAGR, swelling to $7.5 billion by 2020, up from $2.5 billion in 2014. European financial services giant Allianz goes a step further with its prediction that cyber insurance sales will top $20 billion by 2025.
Unlike the damages caused by auto crashes, fires or natural disasters, the repercussions of a network breach are extremely complex, continually evolving and difficult to pin down.
So insurance underwriters are having a devil of time guessing at both exposures and pricing. What's more, a communication gap between corporate security officials and risk managers adds to the confusion. A recent survey by The SANS Institute, sponsored by Advisen, shows that it is equally unclear to insurance providers and prospective buyers how to define exposures, determine coverages and arrive at a fair price.
This volatile situation actually makes it a good time to buy a cyber policy, providing you're willing to become a student of the game. Terms and pricing may be highly variable. But coverages are readily available to help companies offset the financial impact of consumer notifications, business interruption, legal expenses and other damage in event of a network breach.
Cyber insurance, even in this early form, can function as a cost-effective risk management tool. For prospective policy purchasers -- whether you are a large enterprise or small- to-medium-sized business -- it is important to spend time figuring out the correct level of coverage you need. Be sure to find an underwriter willing to give you credit for security controls you already have in place. Also, try to work with a knowledgeable, trustworthy insurance broker, who is transparent and flexible. He or she can guide you to smart choices.
The halo effect
As more companies tighten up their network defenses, and also buy cyber insurance to offset the remaining risks, a halo effect should result. Over time, the segment of business networks that are significantly more difficult to compromise should expand, hindering cyber crime.
Cyber insurance also goes hand-in-glove with existing security and privacy rules, such as those required of healthcare companies by the Health Insurance Portability and Accounting Act (HIPAA) and those imposed on retailers by the Payment Card Industry Data Security Standard (PCI-DSS.) Companies that go beyond HIPAA and PCI-DSS to tighten up their networks, will presumably pay lower premiums for better coverage.
Beyond that, fully addressing your company's cyber risks can be a differentiator. In an Internet-centric economy riddled with evolving exposures, you can herald to the marketplace that your organization is among those that take meticulous care of customer and partner data.
Note: An earlier version of this article incorrectly identified Juniper Research as Juniper Networks.