Multinational insurance provider AIG today told The Financial Times that sales of cyber insurance had jumped up by 30 percent in 2013 when compared with the year before.
“What we've being seeing is significant growth,” said Tracie Grella, who oversees AIG's cyber insurance initiatives as the head of professional liability. She added that cyber insurance had jumped by 30 percent on a year-on-year basis in 2013.
Despite this, there are conflicting figures on how just big cyber insurance has become. For all the prominent hacks against the likes of Target, a report from Experian late last year found that just 31 percent of US companies had cyber insurance policies in place. However, another study from risk management research firm Betterley Risk Consultants founds that the annual gross premium for US cyber insurance policies was USD $1.3 billion (£734.2 million).
It is perhaps no surprise then that one information security expert believes that it is still early beginnings for the nascent cyber insurance market.
“It's an immature market,” said Karl Schimmeck, VP of financial services operations at Sifma, an industry group for financial companies that last year spearheaded a simulated wide-scale cyber attack on Wall Street, when speaking to the FT.
“The risks are not very well understood. There's not a lot of historical information that insurance companies can call on to quantify their risk. That's part of the problem.”
Even AIG's own CEO, Peter Hancock, confessed at a recent conference that the market has plenty of growth ahead.
“This is still a very small market that gets more talk than action, but it is a growth opportunity,” said Peter Hancock, executive vice president of American International Group Inc and CEO of the insurer's property/casualty unit.
Speaking shortly after the announcement, Lior Arbel, the CTO of information security firm Performanta, said that the figure was welcome news, but worries that the policies themselves may not cover enough.
“It is not surprising given the growing prevalence of cyber-attacks that insurance to protect a company's assets from the danger is also growing to match the threat,” Arbel told SCMagazineUK.com.
“However, although insurance is important, it ignores that the damage from a cyber-attack goes far beyond specific infrastructure or hardware damages. The full effect of a cyber-security attack could involve not only the loss precious lost data, and a loss of trust, but also result in irreparable reputational damage with customers.
“Priority for budget must therefore be in technologies and strategies to prevent the cyber-attack in the first place. Businesses need to take proactive steps to ensure its information is properly monitored and secured, from external and internal threats, with the implementation of an effective Data Loss Prevention system.
"If a company or its customer data is stolen, no amount of insurance money will win back confidence in the company.”
Ashish Patel, regional director at Stonesoft, a McAfee Group Company, added that this is the latest sign that organisations are beginning to take cyber attacks seriously.
“This growth highlights the seriousness with which organisations are now taking the credibility of cyber-attacks with the digitalisation of business,” he told SCMagazineUK.com.
“Mass investment in insurance indicates that many businesses are out of their depth and are starting to realise that they now need to view cyber security as a whole package. This includes prevention techniques, mitigation, defence strategies and also compensation should the worst happen.