Demand for cyber insurance up by one third in 2012, says leading broker

Out-Law News | 18 Mar 2013 | 12:12 pm | 3 min. read

The number of companies insuring themselves against the consequences of a data breach or cyber attack increased sharply last year, a leading insurance broker has said.

Marsh reported that the number of its clients in the US purchasing so-called ‘cyber insurance’ rose by 33% in 2012, with the biggest increases in the services and education sectors. Amongst business, legal, accounting and other firms classed as ‘services’ by the broker, the number of firms purchasing cyber insurance increased by 76% in 2012, while there was an increase in 72% amongst those in the education sector.

The firm also reported a nearly 20% increase in the levels of coverage purchased by its clients, with an average limit of $16.8 million in 2012. The average limit purchased by communications, media and technology companies alone rose by almost 36% on the previous year, to $33.4m, Marsh said.

“Awareness of cyber and privacy risks continue to grow, especially in the wake of a number of highly visible data breaches, hacking attacks, litigation and increased government focus on cyber security,” said Bob Parisi, head of March’s Network Security and Privacy Practice. “As a result, companies are now looking to manage their day-to-day cyber risks in the same way they do more traditional risks - through the purchase of insurance.”

Rates for those firms purchasing cyber insurance remained “essentially flat” by the end of 2012, according to Marsh, although it reported that market conditions varied significantly depending on the size of the company purchasing the product. Smaller companies typically paid less for cyber coverage than larger companies, which have been experiencing more severe and frequent claims, Marsh said.

The figures were published as the UK Government rejected the possibility of a new cyber crime treaty, with Home Office minister James Brokenshire saying that any such treaty would take too long to implement and would quickly go out of date. In a speech at BCS, the Chartered Institute for IT, the minister instead announced the creation of a new Cyber Crime Reduction Partnership to tackle the growing threat of cyber crime. The group, to be led by the Home Office, will be made up of police, academics and industry experts, Brokenshire said.

“For too long the public’s perception of cyber crime has been a lone bedroom hacker stealing money from a bank account,” the minister said. “But the reality is that cyber criminals are organised and global, with a new breed of criminals selling ‘off the shelf’ software to aid gangs in exploiting the public.”

“This Government is committed to tackling this threat and we have already had great success. But we want to go further and through the creation of the National Cyber Crime Unit within he NCA and innovations such as the new Cyber Crime Reduction Partnership, I am confident we can bring these criminals to justice.”

Existing international agreements, such as the Budapest Convention, “set out clearly what countries need to do in terms of legislation, law enforcement procedures, and how to work together” to tackle cyber threats, Brokenshire said.

“International cooperation continues to be central to our approach for tackling other potential online threats,” he said.

However, technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, pointed out that the approach being advanced by the UK was softer than that apparently being taken in the US. In a television interview last week, President Barack Obama said that the US planned to get “tough” with China following allegations of state-sponsored cyber attacks on America. Obama said that the US had seen a “steady ramping up of cyber security threats” originating from China, some of which were “state sponsored”.

Scanlon said that although he welcomed the increasing uptake of cyber insurance policies by companies in every sector, comparing the increasing dependency of businesses on technology with physical infrastructure was disingenuous. The nature of the information at risk in the event of a data security breach made it even more vital to insure against this type of incident, he said.

“It is one thing to compare the dependency of businesses on technology with physical infrastructure and reason that there should be a greater uptake of cyber insurance in order to protect against business interruption, general third party liability risks and compliance costs in the event of a data breach or the introduction to systems of a security threat,” Scanlon said.

“But it is also important to keep in mind that security breaches can result in a loss of corporate confidentiality which may place trade secrets at risk and bring into question the use of third party intellectual property. It is in this context that businesses should assess the extent to which they have in place an effective strategy to mitigate the varied risks which arise in the cyber context,” he said.

Research by professional services firm PwC earlier this year indicated that many financial services firms appeared to be “complacent” about the risks of being exposed to cyber crime. Less than a fifth of respondents to a global survey had all five “cybercrime incident response mechanisms” it recommended, it said.