The Value of Cybersecurity Insurance

Sales of cyber­se­cu­ri­ty insur­ance poli­cies are boom­ing. Tra­cy Dolin, Stan­dard & Poor’s Rat­ings Ser­vices ana­lyst, esti­mat­ed the mar­ket could reach $10 bil­lion by 2025. It was only $1 bil­lion in 2012, and it took 15 years to reach that num­ber.

It can be dif­fi­cult to get in the amounts you want, and pric­ing is all over the place. But, insur­ance is a use­ful tool for cyber risk man­age­ment, just as it is for oth­er forms of risk.


Cyber risk insur­ance appears to be help­ing cov­er costs in the most infa­mous data breach cas­es. Accord­ing to the LA Times:

Tar­get spent $248 mil­lion after hack­ers stole 40 mil­lion pay­ment card accounts and the per­son­al infor­ma­tion of up to 70 mil­lion cus­tomers. The insur­ance pay­out, accord­ing to Tar­get, will be $90 mil­lion, leav­ing the com­pa­ny $158 mil­lion in the hole — plus what it paid for cyber­at­tack insur­ance.

Home Depot report­ed $43 mil­lion in expens­es relat­ed to its Sep­tem­ber 2014 hack, which affect­ed 56 mil­lion cred­it and deb­it card hold­ers. Insur­ance cov­ered only $15 mil­lion.

I like the way Ty Saga­low, for­mer chief oper­at­ing offi­cer for AIG, described the buy­er psy­chol­o­gy that’s going on right now:

Think of a mas­sive cyber­at­tack as an intel­li­gent hur­ri­cane,” he said. “If it hits a house that does­n’t fall down it learns why the house did­n’t fall and it changes. It is a scary thing.… Scary things sell insur­ance.”

Com­bine the fear fac­tor with the sup­ply chain pres­sure I wrote about last week, and you’ll real­ize more medi­um and small com­pa­nies are being required to pur­chase cyber­se­cu­ri­ty poli­cies as a pre­req­ui­site to doing busi­ness with large com­pa­nies. Remem­ber that the Tar­get breach was report­ed to have orig­i­nat­ed with an HVAC con­trac­tor.

One expec­ta­tion I have is that insur­ance com­pa­nies will be able to fig­ure out which con­trols actu­al­ly reduce risk and then offer pre­mi­um dis­counts for com­pa­nies who imple­ment them. This is a sim­i­lar pat­tern to offer­ing low­er fire insur­ance pre­mi­ums when you install an auto­mat­ic sprin­kler sys­tem. Or, dis­counts on your auto pol­i­cy for day­time run­ning lights.

Have you bought cyber risk insur­ance? What was it like?


Please note: I reserve the right to delete comments that are offensive or off-topic.