Growing awareness of cyber threats and reporting requirements by regulators are driving a newfound interest in insurance products covering data breaches and other computing risks.
Almost a third of companies (31 percent) already have cyber insurance policies, and more than half (57 percent) that don't have policies say they plan to buy one in the future, a recent study by the Ponemon Institute and Experian Data Breach Resolution found.
"It's an issue that's much more front and center with senior executives in companies now," Larry Ponemon, founder and chairman of the Ponemon Institute, said in an interview.
"Data security may not be a top five issue with companies, but it's in the top 10," he added.
Concern over cyber threats is so great that more than three quarters (76 percent) of the organizations participating in the study who had experienced a security exploit ranked cyber security risks as high or higher than other insurable risks, such as natural disasters, business interruptions, fire and such.
"That's very surprising," Ponemon said. "A lot of folks feel — maybe because of all the media coverage or all the war stories we hear about — that the whole area of data breach and data loss is an issue that can have a material impact on the company."
The researchers also found that the average cost of the security incidents affecting the companies participating in the study to be $9.3 million. When asked to predict what the average cost would be to them in the future, respondents estimated $163 million.
Nevertheless, a company's interest in cyber liability insurance appears to pique only after its data horses have left the barn. Seventy percent of respondents say their companies became much more interested in insurance policies after an incident, the study said.
For companies shying away from cyber liability insurance, top reasons uncovered by the surveyors were expensive premiums (52 percent) and too many exclusions, restrictions and uninsurable risks (44 percent).
"One of the things that makes people leery about insurance are all the things that aren't covered in a policy," Ponemon said. "That's true of all kinds of insurance. We think we're covered, but we're not really covered so we live in a sort of false paradise."
Before computing was as mission critical as it has become for most businesses, a company may have been able to persuade an insurer to cover a loss connected to a cyber incident under the organization's general liability insurance policy. That's not the case anymore.
"Insurance companies have tightened up their underwriting in casualty and property policies," Ponemon explained. "We're starting to see data breaches and security compromises specifically excluded from those policies."
Sign up for CIO Asia eNewsletters.