Get All Access for $5/mo

Cyber Insurance: The Next Big Thing for Businesses A growing number of small businesses are buying up cyber insurance to protect themselves in the event of a cyber attack.

By Mary Thompson

This story originally appeared on CNBC

Why cyber-insurance will be the next big thing

Image credit: Shutterstock

Earlier this year, New York City-based staffing agency Clarity bought cyber insurance for the first time. This spring it added more coverage.

"We were actually hearing about it from our clients," said Elizabeth Wade, Clarity's operations manager. "They were asking us about it and in order to prevent being behind the eight ball we felt like we really wanted to be proactive and get the insurance 'cause we knew it was something that was important to our clients, and then it was important to us as well."

With a staff of 30, Clarity was looking to protect the information it takes from the clients it places, like their Social Security numbers and dates of birth. The initial coverage it bought from insurer CNA covered any legal costs and the costs of lost business that would come with a breach. This spring it added coverage for credit monitoring if its client data are hacked.

Clarity is one of a growing number of small businesses buying cyber insurance, and one of the reasons sales of this product are skyrocketing.

Read More: Astros furious after hacking

Robert Parisi, network security and privacy practice leader for insurance broker Marsh USA, a unit of Marsh & McLennan, told CNBC that on the heels of a 21 percent increase in Marsh's cyber insurance sales in 2013, sales for the first half of 2014 are double what they were for the same time last year.

"The number of (data) breaches in 2013 certainly was the last straw in the camel's back," Parisi said, referring to well-publicized breaches like the one involving more than 110 million Target clients last winter. "A lot of people who were sitting on the sidelines. it got them buying."

At an estimated $1 billion to $2 billion, 2013 sales of cyber insurance were a fraction of the $1.1 trillion in total U.S. insurance premiums last year. But Parisi sees the number growing exponentially in the foreseeable future.

"The growth trajectory, I see no sign of it abating," Parisi said. "Cyber insurance is underpenetrated in the economy in general and we're at the long end of the hockey stick heading upward."

A 2014 study, "Net Losses: Estimating the Global Cost of Cybercrime," conducted by software security firm McAfee for the Center for Strategic and International Studies, estimated that cybercrime costs the global economy $445 billion a year. The report also forecast the cost will rise as more consumers and businesses connect to the Internet, creating in turn a larger potential market for cyber insurance.

Read More: Russia linked to energy cyberattack

"Just about every business today needs cyber insurance," said Bob Hartwig, president of the Insurance Information Institute. "More and more businesses are transacting online and the reality is it's only going to increase as we move forward."

Introduced more than a decade ago, cyber insurance's growth has been spurred not only by an increase in cybercrime, but also by new regulations.

Most states now require companies to notify customers if there is a data breach. Cybercrime is also a growing concern in the boardrooms of publicly traded companies.

In response to public data breaches like those at Facebook in 2013 and the restaurant chain P.F. Chang's in 2014, directors and upper-level executives are increasingly focused on boosting companies' defenses and making sure their firms are ready to act in the event it happens to them. Parisi said that anytime a problem reaches that level of attention, companies are going to act.

Read More: Facebook fights NYC on shielding customer data

President Barack Obama also shone a spotlight on the problem.

In 2013 he highlighted cybercrime as a serious threat to the economy, and issued an executive order that resulted in the Cybersecurity Framework. Developed by private companies and the National Institute of Standards and Technology, the framework gives companies a guideline on how to respond and handle cybercrimes.

In the U.S., the recent growth in cyber-insurance premiums has been fueled by two sets of customers: new clients and existing clients who are buying additional coverage

"The trend early on was tech, financial and health-care companies buying insurance. That still continues" said Tim Francis, who heads insurer Travelers' cyber division. "In the last couple of years you've seen more retail and manufacturing firms buying insurance and now you are seeing small- and middle-market firms buying too."

While many of the headlines about cybercrime tend to be about attacks at large firms, The Ponemon Institute's "2014 Cost of Data Breach Study: United States" found a company with less than 10,000 records is more likely to be hacked than a firm with more than 100,000 records, in part because smaller firms are less likely to have robust defenses against hackers, who Marsh's Parisi said are not discriminating in what they attack.

"Hackers and cybercriminals are very opportunistic," Parisi said. "If they can get 100 records or credit cards from the local dry cleaners they'll do it."

Read More: Cybersecurity firm says large hedge fund attacked

Cyber insurance policies will depend on a company's size and the industry in which it operates, how much data it has and what a company already does to secure it.

Among the expenses a policy might cover: the cost of conducting an investigation into a breach, notifying customers, reputational and crisis management, lost business and the cost of credit monitoring.

Like the policies, the price of the coverage varies, too, though Francis said prices are coming down as more insurers enter a market served by the likes of Travelers, AIG, Chubb, ACE Limited and CNA. The increased competition is making cyber insurance more affordable for many smaller firms, which can buy policies tailored to their risk profile, which is increasingly important for small- to mid-sized firms.

Not having cyber insurance could prove costly for businesses.

The Ponemon study found the average cost of a data breach to an organization in 2013 rose to $5.9 million from $5.4 million in 2012. The study looked at firms where the information of more than 500 clients had been compromised.

Behind the rising cost, there was an increase in the number of customers the firms surveyed lost after a breach. It's no surprise then, that lost business accounts for highest portion of the costs linked to a data breach, coming in at 38 percent, followed by legal services at 16 percent and investigations and forensics at 13 percent.

The study found the cost of a breach can be reduced if a firm already had a strong security profile and an incident response plan in place. It also found companies that notify customers too quickly—before doing a thorough assessment or forensic examination—risked increasing their costs.

For Clarity, the risk of not having cyber insurance outweighed the cost, which Wade said was "a couple of thousands of dollars" or roughly 5 percent of its total insurance costs.

"It's never one of those things you want to find out if it's worth having or not," Wade said. "But it certainly helps us to rest easy at night and focus on our business, knowing that we have it."

Mary Thompson joined CNBC in 2000 as a general assignment reporter. She has covered a wide range of stories for CNBC, including the 2008 financial crisis, Hurricane Katrina from along the Gulf Coast and the mutual fund industry's market-timing scandal in 2003.

Prior to joining CNBC, Thompson worked for Bloomberg Television and Bloomberg Radio, from 1992 to 2000, covering the stock market from the New York Stock Exchange and anchoring special coverage of Federal Reserve meetings. She also worked as a print reporter for Bloomberg, from 1991 to 1992, covering small banks and retailers.

Thompson holds a B.A. in English from the University of Notre Dame and an M.S. in journalism from Columbia University.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Starting a Business

I Left the Corporate World to Start a Chicken Coop Business — Here Are 3 Valuable Lessons I Learned Along the Way

Board meetings were traded for barnyards as a thriving new venture hatched.

Business News

'Passing By Wide Margins': Elon Musk Celebrates His 'Guaranteed Win' of the Highest Pay Package in U.S. Corporate History

Musk's Tesla pay package is almost 140 times higher than the annual pay of other high-performing CEOs.

Business News

Joey Chestnut Is Going From Nathan's to Netflix for a Competition 15 Years in the Making

Chestnut was banned from this year's Nathan's Hot Dog Eating Contest due to a "rival" contract. Now, he'll compete in a Netflix special instead.


Are Your Business's Local Listings Accurate and Up-to-Date? Here Are the Consequences You Could Face If Not.

Why accurate local listings are crucial for business success — and how to avoid the pitfalls of outdated information.

Money & Finance

Day Traders Often Ignore This One Topic At Their Peril

Boring things — like taxes — can sometimes be highly profitable.

Growing a Business

He Immigrated to the U.S. and Got a Job at McDonald's — Then His Aversion to Being 'Too Comfortable' Led to a Fast-Growing Company That's Hard to Miss

Voyo Popovic launched his moving and storage company in 2018 — and he's been innovating in the industry ever since.