01/08/2014 10:22 am ET Updated Mar 10, 2014

Cybersecurity Industry Interview With Marsh's Matt McCabe: Part One

As we kick off 2014, I am starting the New Year with an interview series, which will provide an overview of the cybersecurity industry. In the first part of a three part series, I spoke with Marsh's Senior Vice President of Network Security and Privacy Practice, Matt McCabe, discussing various components of the cybersecurity market. At Marsh, Mr. McCabe is responsible for advising clients on emerging cybersecurity trends and issues, and ways in which they can address their unique data and privacy needs. What's more -- Mr. McCabe has more than a decade of experience in the legal and cyber security realms. He served as senior counsel to the U.S. House of Representatives Committee on Homeland Security, where he advised congressional representatives on federal, state and local policy involving cybersecurity, data protection and privacy law.

Specifically, in this interview, we delve issues concerning the cybersecurity insurance market, explaining risks, policies and costs. Stay tuned in the upcoming weeks for the second and third installations of this interview series, where we will discuss cybersecurity legislation and unique approaches to handling cyber and data privacy issues.

What is the role of a corporate insurance broker in educating companies on cyber risks and cyber insurance policies?

Marsh views security as custom fitted for each client. Companies have specific valuable assets and specific risks to protect against. A conversation with prospects or clients begins with assessing their current cyber practices. After the entity provides us with the information about their cyber practices through the "Marsh assessment," we will have the document scored and discuss the results with the client. Not every company needs to have a perfect score -- what's important is that we provide clients with the most valuable cyber assets. To give clients the best value and manage risk properly effectively, underwriters look for evidence that cyber security is part of organizational DNA, and is addressed with an enterprise risk management approach.

What does the cyber insurance market look like these days? Expanding, contracting, reaching capacity? Are more companies seeking out coverage, and are more companies making claims on policies?

The market is up with respect to both supply and demand. The Ponemon Institute found that 31 percent of respondents already had cyber policies, while an additional 39 percent said their organizations had plans to buy. Marsh's own numbers show that its U.S. clients purchasing cyber insurance increased 33 percent in 2012 from 2011, with those in the services and educational sectors leading the way.

More companies are realizing the reality of cyber risks and are investing in policies. But the increase also reflects the innovative approaches with which carriers have responded. Today's cyber coverage is far more robust than even just a few years ago. Markets now provide not only risk transfer, but also solutions for loss prevention and risk mitigation. This is especially true for data breaches, but there are new developments being introduced for business interruption and industrial control systems as well.

In the markets, there is expanding capacity at both the primary and excess levels, which has countermanded underwriter desires for additional premium. Nevertheless, underwriters will continue to push for premium because they are seeing more claims.

Given the ever-evolving nature of the cyber threat as well as the involvement of nation states in attacks, do you think it is hard to accurately calculate a company's cyber risk profile?

We understand that security in all forms is a constantly evolving issue, with cyber being no exception. Cyber polices contain exclusions for the actions of foreign nation states, so the risk profile for their coverage is calculated without that consideration. U.S. companies are called to fend off foreign espionage with their IT budgets. The problem grows even more acute when the risk is a catastrophic attack meant to inflict as much harm as possible.

Additionally, there has been a great deal of discussion about the growth of cyber insurance, but I think we are still at the early growth stages. Especially on the business interruption side, companies and underwriters are starting to gain a greater appreciation for the consequences of network outages and corresponding revenue loss. Moreover, the growth of regulations and other federal policy efforts will add to the prominence of the cyber insurance market. When reviewing their risk profiles, companies should be actively inquiring from their brokers what solutions are available, because there are more innovations every quarter.