GO
Loading...

Cyber insurance becoming more mainstream

Smeel Photography | E+ | Getty Images

No company is safe these days from a cyberattack. And that's good news for the insurance business.

Read MoreWhat cyberthreats are costing US companies

Increasingly companies are trying to hedge costs associated with attacks on their networks by purchasing cyber insurance. Not only are more start-ups and established insurance providers getting into the cyber insurance business, but more companies including mom and pops are paying for insurance against cybercriminals.

The new insurance trend also underscores the growth and complexity of the cyberworld. Cyber insurance providers already are using security scores, similar to credit scores, to help gauge what kinds of businesses those insurers want to cover.

Cyber insurance "is by far the fastest growing area of insurance," said Stephen Boyer, chief technology officer and co-founder of BitSight, a start-up that rates businesses' security infrastructure.

More businesses are buying the insurance. Clients purchasing cyber insurance rose 21 percent in 2013 from 2012, according to Marsh Risk Management, a global risk management and insurance broker. Clients who bought cyber coverage of $100 million or more also rose significantly last year compared to 2012, according to a recent report from the company.

"This is one of the brightest areas of [insurance] growth for many years to come," said Robert Hartwig, president and economist at the Insurance Information Institute. "There's no question that this is a growth area for insurers as it's quickly becoming a must-have product for not only large businesses, but smaller business, who have customer data they need to protect."

Read MoreCyberattacks get bigger, smarter, more damaging

While coverage differs depending on the vendor, Boyer said an average cyber insurance plan would likely cover revenue lost during a cyberattack, when a website is taken down, legal fees related to a breach and costs tied to fixing an exploited vulnerability. The insurance plan might also cover the cost of a consumer data breach by paying for a credit monitoring service for affected customers.

Plans and coverage for businesses range in size and price, from the basic to the more complex. But excluding the retail sector, the cost of cyber insurance for most industries has come down during the last few years because more firms are bringing products to market and increasing competition, Hartwig said. The Target breach, however, drove the price up for retailers' cyber insurance.

"Just like a hurricane can affect property insurance in Florida, an event like the Target can affect the price of cyber insurance for all retailers," Hartwig said.

Cyber insurance does not cover intellectual property because insurers haven't figured out a way to account for the cost associated with that kind of loss, Boyer said.

Read MoreHow investors should play the cybersecurity war

Cyber insurance offerings also underscore the growing complexity and breadth of the cyberecosystem. "It's really the maturation of the cybersecurity world. It gives companies the ability to transfer the risk using an insurance model we have used for a long time," Boyer said.

There are few larger insurance companies that have been providing coverage for the last several years, said David Navetta, a founding partner at Information Law Group, which focuses on technology and information security.

What's your security score?

While this kind of insurance is expanding, industry watchers note the growth remains in the early stages. "It's key to note that this (cyber insurance) is still a small and growing area of insurance," Boyer said.

But cyber insurance seems here to stay and grow as companies like Liberty International, Axis, Travelers and AIG are just a few of the bigger companies offering cyber insurance products, Navetta said.

The demand for cyber insurance is becoming so strong, though, that even small providers are entering the mix.

"Coverage started out geared towards online companies. Then more industries, like retailers, wanted it and now it's going down to the local laundromat," Navetta said. "And a lot of smaller players are jumping in."

But just because the demand is there doesn't mean insurers will take on just any business.

Insurance companies still want to know what risks they are taking on—a problem that Boyer's company, BitSight, wants to solve.

BitSight uses big data analytics to determine a company's security risk score, which is basically like a credit score, but instead is used to measure and rank a business's security performance.

Boyer said companies use BitSight for three primary applications.

First, companies use BitSight's scores to determine which third-party vendors and businesses to use and interact with, because they can look at security scores and get a sense of how safe their data will be.

Second, the security scores help companies benchmark themselves against other competitors—and potentially secure an edge among their peer businesses.

And third, insurance companies use security scores to manage their own internal business risks by helping to decide which client businesses to take on, or not.

BitSight recently partnered with the insurance provider Liberty International to give the firm's policyholders access to BitSight's service so that they can always have access to their security score.

"It's great for insurers because they are their reducing risk and it's great for companies because they are more protected," Boyer said. "We are helping both sides systemically reduce risk."

By CNBC's Cadie Thompson.

Contact Technology

  • CNBC NEWSLETTERS

    Get the best of CNBC in your inbox

    To learn more about how we use your information,
    please read our Privacy Policy.
    › Learn More

Squawk Alley