Customers of the insurance brokering and risk management firm Marsh, LLC, are increasingly buying cyber insurance with most of the buyers being companies that aggregate personal data, a senior company official told a House panel on Tuesday.
In 2015, sales of cyber insurance policies climbed 27 percent, 2014 sales of the policies were up 32 percent and 2013 purchases jumped 21 percent, Matthew McCabe, senior vice president at Marsh, testified before the House Homeland Security cybersecurity and infrastructure protection subcommittee. Marsh is a company within the global risk, strategy and human capital firm Marsh & McLennan [MMC].
On the other hand, cyber insurance is pricey, another industry official tells the subcommittee.
“I think what our members have found is cyber insurance is becoming very, very expensive; a lot more expensive than it was in the past, and that they are looking at ways to figure out where to invest the dollars they have,” said Daniel Nutkis, CEO of the Health Information Trust Alliance (HITRUST). Nutkis’ group works with the healthcare industry on improving its information security.
Where companies make the effort to properly strengthen their cyber security posture they end up reducing their insurance premiums, resulting in “better cyber resilience” while benefiting from cyber insurance coverage, Nutkis said.
“That’s the behavior we’re trying to drive to, which is getting people to focus on really minimizing residual risk and finding ways to more cost effectively do that,” Nutkis said. “I think what we’ve demonstrated is that if in fact you make good decisions on your cyber controls you can reduce your cyber premium.”
On Monday, the Bipartisan Policy Center released a report describing the cyber insurance market as robust, saying $2 billion in premiums were generated in 2015 with some estimates saying premiums could total $7.5 billion in 2020.
The reason for increasing demand in cyber insurance protection is due to a spate of high profile attacks in recent years, potential personal liability concerns among corporate directors and officers and because most state governments are requiring companies to notify their customers of cyber breaches, the BPC says.
Lawmakers and others see cyber insurance as a market-driven incentive to bolster cyber security among companies and organizations.
“The very process of considering, applying for, and maintaining cyber insurance requires entities to assess the security of their systems and examine their own weaknesses and vulnerabilities,” Rep. John Ratcliffe (R-Texas), chairman of the subcommittee, said at the outset of the hearing. “This process is constructive, not only for obtaining a fairly-priced policy, but also as a means of improving the company’s security in the process.”
Before an insurance company will issue a cyber policy, underwriters review a firm’s practices, defenses, incident response plans, access privileges and network monitoring, all of which helps strengthen cyber security, McCabe said.