Hack Attacks Help Boost Insurance Business
More than 138 million American adults have life insurance. Why? Because death is one of the only guarantees in life — that and taxes. And now, perhaps, getting hacked can be added to the list, and that's been a boon to the cyber-insurance industry.
"Any high-value organization has been or will be attacked soon — that is almost certain in today's world," said William Stewart, the leader of Booz Allen Hamilton's Cyber Technologies Center of Excellence.
It's an issue that's keeping C-suite executives up at night. Fear of a cyberattack tops the list of major business risks that CEOs are most concerned about, according to a recent study sponsored by American International Group.
(Read More: Execs Say Cyberattacks a Top Threat: AIG Survey)
That fear appears to be driving business to the insurance industry. Cyber-insurance policies have been around for over a decade but their use has really only spiked in the past few years, and business is expected to grow.
As of June 2012, the Betterley Report, an independent guide to specialty insurance products, estimated that the total insurance premium for cyber-insurance was about $1 billion in the United States. The report's publisher, Richard Betterley, said he anticipates the premium to hit $1.2 billion in this year's report.
Insurance brokerage firm Marsh, whose parent company is Marsh and McLennan, said it has seen a 30 percent increase over the last year when it comes to its cyber business.
"There was a day when IT-related risks seemed to exist only for computer and technology firms," Bob Parisi, Marsh's Network Security and Privacy Practice Leader, told CNBC. "Now, the reality has set in that any company that handles, collects, or stores information; or any company that uses a computer network in its operations has this risk."
Marsh's clientele for cyber-liability insurance includes financial institutions, retail, health care, higher education, and media and tech industries. However, Parisi said there is new demand from companies within the manufacturing, biotechnology, and pharmaceutical sectors.
(Read More: 10 Ways Companies Get Hacked)
So what exactly is cyber-liability insurance?
Plans include everything from business interruption coverage, which covers reimbursement for lost revenue resulting from an attack; privacy and security liability, which provides protection for claims such as lawsuits arising from an actual or alleged failure of computer security; cyber-extortion coverage, which covers ransom or investigative expenses associated with a threat; and information asset coverage, which provides reimbursement for the actual and necessary costs incurred to restore an organization's information and computer system assets.
Costs for these plans can vary depending on the company's size as well as the breadth and scope of coverage purchased.
Maria Treglia, chief sales officer at Program Brokerage Corporation, a division of HUB International, said she has seen sales of cyber-liability insurance increase ten-fold over the last year.
The company expects an even bigger expansion of that business this year.
"There is significant interest in this product by our middle-market clients with between $10 million to $1 billion in revenue," Treglia told CNBC.
(Read More: Is Washington to Blame for Cybersecurity Threat?)
Insurance companies are now fighting each other for clients, she said, so they can build up their books to sustain the losses they know will come in. "Each is trying to out-do the other in policy terms and conditions they will offer a client as well as risk management services. This is a win-win for our clients."
However, some remain skeptical.
"It's human nature to want to 'check all the boxes' to protect yourself from today's threats, but at the end of the day, insurance won't protect your company from losing sensitive intellectual property," said John Prisco, CEO of the cybersecurity company Triumfant.
"Signing up for insurance alone is not enough," he added. "Security professionals need to employ a higher level of diligence to make sure they're taking the proactive steps to protect their companies on the front-end rather than simply making sure the damage isn't as bad once it's done."
(Read More: The Dirty Email Trick Favored by Hackers)
In fact, cyber criminals are much more organized these days. According to Fortinet's 2013 Cybercrime report, they are operating more like a legitimate business with a complex hierarchy.
The bottom line, Prisco said, is no amount of insurance is going to save a company if trade secrets are revealed as a result of a successful cyber attack.
And when it comes to cyber crime, most experts would agree, no protection is perfect.