DuBose said the hacker, via malware or malicious software, can now infiltrate a system and stay for months, monitoring data traffic and other information without being detected by the anti-virus scans employed by most corporations. (Read More: Pentagon in Major Expansion of Cybersecurity Force )
"As a result about 85 percent of the companies that experience a breach have to be told about it from a third party," said Dubose. "It is usually law enforcement or some other third party that tells them about the breach."
These breaches are costly and frequent. Symantec estimated the global cost of cyber-attacks in 2011 was $388 billion dollars in direct financial loss and the cost of recovering from the attacks. In its 2012 Data Breach Investigations Report telecom giant Verizon in 2011 found that 174 million records were compromised by cyber-attacks, the second highest since it started tracking data breaches in 2004.
Still, the executives surveyed by AIG are less concerned with the financial cost of an attack, than with the reputational damage an attack might cause, said Gambale. He pointed out keeping their clients information safe is critical to what many corporations do. If a data breach causes a firm to lose the trust of their clients, they lose their clients' business.
Since 1999, AIG's been in the business of insuring against these attacks. Gambale estimated cyber insurance is now a $500 million to $600 million business — one some estimate could reach a billion dollars in a few years. (Read More: How to Protect Your Devices From New Hack Threat )
Like the attacks themselves, the business of insuring against them have changed. In the past AIG provided services after a breach, including a breach coach, forensic assistance in tracing the breach, credit monitoring and notification services to clients. Today, its sells a product called CyberEdge.
CyberEdge provides proactive protection by putting additional software outside a firm's firewall to prevent globally known "bad" IP addresses from getting through that firewall. It is a product Gambale believes is for any firm, large or small.
"I believe it's for everyone," he said. "If you're handling that personal identifiable information you're held to the same laws, the same standards, the same statutes as a billion dollar company, a government, a newspaper that is handling that information as well."