A recent study found that 31% of companies have cybersecurity insurance policies, while 39% planned to purchase a policy in the future. Ponemon Institute, a data privacy and cybersecurity research firm, found that 70% of companies that have experienced a data breach said that experience increased their interest in cyber insurance. However, some companies are still skeptical about cyber insurance, with 33% saying their company has no interest in purchasing a policy at this time. For those who have not purchased a policy, the biggest barrier was cost: 52% said premiums are too expensive. And 44% of companies that do not have policies cite as their reason the fact that the policies contain too many exclusions, restrictions and uninsurable risks.
The White House has put forth a loosely defined set of incentives designed to convince private companies to adopt the voluntary aspects of its so-called “Cybersecurity Framework.” At the top of the list is a proposed cybersecurity insurance market, which calls for the adoption of risk-reducing measures and risk-based pricing models. The program is set to launch in early 2014, but the details are still fuzzy.
The average “operational” cost of data breach in the U.S. is approximately $5 million, which generally includes four cost categories: (1) detection or discovery; (2) escalation, or reporting of the breach to appropriate personnel; (3) notification of those whose personal information was breached; and (4)after-the-fact response to minimize harm to victims, such as credit monitoring, issuing of new cards or accounts, etc.
Given the high cost of a data breach incident and the fact that these incidents are occuring with more frequency, it may be time to take a closer look at getting insurance coverage.