In 2011, Sony’s PlayStation network was hacked, with 77 million accounts affected, leaving the company with a final bill of $170 million in damages. Unfortunately for Sony, its general liability insurance didn’t cover the breach, which was later followed up by a court ruling confirming the insurer’s stance. Thankfully, having learned its lesson the hard way, Sony was covered during its 2014 breach. The company had cyber insurance, covering most, if not all, of the $100 million estimated cost.
Major corporations are not the only targeted businesses by cyber criminals; according to the Verizon 2016 Data Breach Investigation Report, 62 percent of all cyber breach victims are small to mid-size businesses, with an average cost of $3.8 million. Recent reports have the average as high as $7 million. In response to the meteoric rise in the threat of data breaches, companies are now developing breach prevention controls, strengthening cyber security and buying cyber insurance.
Cyber insurance policies are split into two coverage groups: first-party coverage and third-party coverage. First-party coverage covers an organization’s direct losses, while third-party coverage covers claims by third parties against the organization, such as customers or partners.
Unfortunately, developing cyber policies has become a challenge, as the criteria for coverage is difficult to quantify (business scale, sensitivity of data, security posture, etc.) and there is very little historical data. These challenges make providers wary and lead to high premiums with little coverage. Some companies are forced to adopt new technologies before covering them. There is no way to know if their coverage will be sufficient. Anthem’s current breach is expected to cost the company $1 billion, greatly dwarfing their estimated $150-200 million policy.
This maelstrom of confusion is ripe for risk assessment tools. Companies like BigSight Technologies, SecurityScorecard and PivotPoint Risk Analytics have begun to develop these tools, while companies like the U.S.-based startup QuadMetrics will begin to work exclusively in the field of helping underwriters assess cyber threats. Established companies will most likely develop cyber security departments or “acqui-hire” current companies, while offering pre-breach and post-breach services.