Most businesses view Internet security as a combination of passwords, firewalls and antivirus software. But in a growing number of cases, those defenses have not been enough. So the insurance industry has created a product that offers financial protection from a wide array of digital disasters: cyber insurance.
Afraid of being sued or fined if your company leaks sensitive customer data online? Worried that hackers will crash your website or extort your business for millions of dollars? There are policies that cover those predicaments and others, creating a new source of revenue for the insurance industry.
"Traditional insurance covered fires and floods, but what about a hacker who takes down your business?" said Jim Whetstone, the U.S. privacy product manager for the insurance company Hiscox USA.
It is a question with greater resonance in light of several expensive data breaches this year at major corporations. Sony expects to pay nearly $180 million in costs related to hackers publishing the personal information of about 100 million customers online earlier this year.
But exactly what insurers will cover in the event of a cybersecurity failure can be a matter of dispute. Sony's insurer, Zurich American Insurance, filed a lawsuit in July seeking to avoid paying claims related to the breach, arguing that Sony's insurance policy only covered bodily injury and property damage.
Cyber insurance has existed for about a decade but is gaining popularity as business owners witness the heavy price of data breaches, and laws in nearly every state require companies to disclose when they lose customer data, industry experts say.
Those disclosures result in expenditures, which many cyber insurance policies now cover: buying credit-monitoring service for customers, paying regulatory fines, hiring lawyers to fight potential lawsuits and hiring public relations specialists to defend the company's image from negative media attention.
"All those are direct costs that any organization may face, and they can be quite expensive if it's a large breach," said Geoff Allen, head of the cyber-risk practice at the insurance broker Willis Group. "It's not only embarrassing, but it can be extremely costly and extremely disruptive."
The average cost of a data breach is nearly $7 million, or about $200 per record, according to a study released last year by the Ponemon Institute, a cybersecurity think tank. The most expensive data breach last year cost a company nearly $31 million to resolve, according to the study.
About 30 insurance companies now sell cyber insurance policies to financial institutions, hospitals, schools, restaurants, retailers and municipalities. While commercial property and casualty insurers have struggled in the financial downturn, some cyber insurers have seen their revenues double, according to Betterley Risk Consultants, an insurance consulting firm. The market for cyber insurance is projected to grow from $600 million in premiums last year to $800 million this year, according to the firm.
"A couple years ago IT people would tell me, 'It can't happen here. We have the best defense possible,'" said Richard Betterley, president of Betterley Risk Consultants. "Now they say, 'We have the best defense possible and it could still happen here.'"
However, insurers may not be willing to cover every Internet threat. Some do not offer policies for computer viruses because reinsurance companies, which insure the insurers, are often nervous about widespread attacks that can affect multiple insurers at once, Betterley said.
Yet computer viruses are one of the most common cybersecurity incidents that businesses face, and one of the most expensive to fix, according to Alan Paller, director of research at the SANS Institute, a training organization for computer security professionals.
"It gets into one system and tends to spread once it gets in," he said. "It costs a fortune to clean up."
Sony is not the only company facing a lawsuit with its insurer over a cybersecurity failure. Last year, Colorado Casualty Insurance filed a lawsuit saying it was not responsible for paying $3.35 million in costs related to a data breach at the University of Utah. The suit is still pending.
Steven McMurray, a lawyer representing Perpetual Storage, which housed the data for the University of Utah, declined to discuss the lawsuit. But he said if organizations would properly encrypt their data, there would be no need for cyber insurance because no customer information would be lost.
"If data is properly encrypted, this would be a non-issue," he said in an interview.
Still, insurers are selling cyber insurance policies as financial security for the day when security fails. And as technology evolves, they are creating new policies to address the latest threats, including the risk of data loss and business disruptions from cloud computing. When Amazon.com's cloud service went down in April, many businesses that relied on Amazon's servers were inaccessible to customers for several hours, potentially causing the businesses to lose revenue, Whetstone said.
Even small towns are buying policies to make them whole in case they get hacked. Last year, the City of Poughkeepsie took out a cyber insurance policy after hackers wired $378,000 in town funds to banks in Ukraine. Poughkeepsie, which eventually recovered the money, now spends $3,000 a year to insure up to $1 million in costs related to computer fraud. But officials there say it is a small price to pay for a rare commodity in the Internet age: peace of mind.
"More and more business is being done over the Internet," said Poughkeepsie Town Supervisor Patricia Myers. "It would be like living in a flood plain and not buying flood insurance. You need to be protected."