The cost for cyber insurance against hacking attacks has risen drastically for companies that have been victims of such attacks. As the number of data breaches into both government and corporate servers has increased in recent years, the average insurance rates for retailers rose over 30% in the first half of 2015, leading to criticisms that the money spent on insurance would be better spent on prevention methods.
Even though it has been around since the year 2000, cyber security has been a difficult product to price due to the small size of the market and a lack of historical data. As cyber insurance firms seek to protect themselves from the high costs associated with a cyber breach, the value of annual premiums is expected to increase from $2.5 billion to $5 billion by 2018, according to a recent report by accounting firm PwC.
Following the breach of the health insurance company Anthem earlier this year, their general counsel claimed that the cost of renewing their cyber insurance had become “prohibitive.” They eventually decided to continue coverage amounting to $100 million with a $25 million deductible.
Security analyst Ken Westin at the software firm Tripwire commented on the future of the cyber insurance market, “…with the rise in high profile breaches, insurers finally have data they need to assess risk, and the results are staggering. Insurers see that the financial risks of a breach to a company go far beyond initial clean up and identity theft protection for customers affected. As customers, banks and even the government file lawsuits against breached companies, the financial impact of a breach is skyrocketing.”
Because the Anthem data breach was suspected to be a result of e-mail phishing seeking out employee ID’s and passwords, investing in more stringent cyber security would have limited effectiveness. Cyber security analyst Steve Ragan of CSO Online stated that prevention methods can only go so far, “Once the humans are exploited, those controls are next to useless….Technology didn’t detect the Anthem breach, a human who was paying attention did. Self-awareness among the staff is a serious bonus to any information security program.”