More than 3,000 American businesses were hacked last year, many of them small and midsize firms that are often less protected than their multinational counterparts, according to the Center for Strategic and International Studies.
That surge in cyberattacks has led to a booming industry that aims to insure against data breaches. Roughly 50 companies around the country offer cybersecurity insurance, and as of last week, there was one more: Ridge Insurance Solutions, founded by Tom Ridge, the first secretary of the Department of Homeland Security.
Ridge says the District-based firm will offer insurance policies of up to $50 million, primarily for firms that specialize in financial services, retail, health-care and energy.
“These are companies that can’t afford the high-level, multi, multimillion-dollar security efforts that the larger corporate enterprises do,” Ridge said in an interview. “This is a [service] that is desperately needed even though it is in its infancy.”
Nationally, businesses are expected to spend $2 billion on cyber-insurance premiums this year, a 67 percent increase from the $1.2 billion they spent in 2013, according to Betterley Risk Consultants. (In 2010, cyber-insurance premiums totaled just $600,000.)
More small businesses — particularly technology companies, financial institutions and retailers — are taking out cyber-insurance policies, as are contractors and vendors that serve large corporations, hospitals and government agencies.
“All of those businesses have critical data that they need to insure against any kind of unauthorized disclosure of that data,” said Matt McCabe, senior vice president for network security and privacy at Marsh, an insurance brokerage firm and risk adviser. “But we’re also seeing many other types of companies that are becoming more interested: Power and utilities are purchasing cyber; manufacturers are increasing numbers; life services companies — any company that focuses on logistics.”
A single cyber attack can cause hundreds of thousands, and sometimes millions, of dollars worth of losses, experts say.
Notifying affected customers of a credit card breach, for example, can cost upward of $500,000, according to Roberta D. Anderson, a partner at K&L Gates and co-founder of the firm’s global cyber-law and cyber security practice group.
At Target, executives estimate that last year’s data breach has cost the company $146 million to date.
“Cyber-insurance is a rapidly growing new frontier for the insurance industry,” said Robert P. Hartwig, president of the Insurance Information Institute. “We’re seeing record interest in the product because it advertises itself each time you hear about another major cyber-breach.”
Experts say that at least 75 percent of larger businesses — typically those with more than $1 billion in annual revenue — are expected to have cyber security insurance within the next few years.
The earliest forms of cyber-insurance got their start in the mid-1990s as the Internet made its way into mainstream use. At the time, only a couple of companies provided such policies, and they were limited in their scope.
“We didn’t worry about breach response back then,” said Richard Betterley, president of Betterley Risk Consultants. “That wasn’t what they were trying to insure. They were trying to insure liability, theft of data, shutting down somebody’s Web site, things like that.”
As protective technology becomes more sophisticated, hackers’ methods are following suit. Unlike tornadoes and earthquakes, where risks can be calculated, experts say there’s little experience on when — and how — cyber attacks will hit.
“You have billions of people connecting online through many, many devices, including household devices and cars,” McCabe said. “That’s a larger treasure trove of data and more vulnerabilities.”
And the increasing resourcefulness of hackers is causing rising concerns, added K&L’s Anderson, citing this summer’s breach of customer databases at JPMorgan Chase. “If they can crack JPMorgan Chase, they can crack anyone.”