One reason for excluding those risks is they're hard to quantify. "While interest continues to grow, the market for cyber insurance is still immature, because the risks underlying the coverage are difficult to quantify from an actuarial standpoint," John A. Wheeler and Paul E. Proctor wrote in a Gartner report last year.
"With no standard set of actuarial tables, insurance carriers are often left to their own underwriting standards and creativity when offering cyber insurance policies," they wrote. "A lack of actuarial data also makes cyber insurance less desirable to companies, while increasing the price."
Insurers, though, have gotten better at quantifying certain kinds of cyber risks. "Where cyber insurance has gained some traction is in an area that's more quantifiable — the data breach area," Andrew Braunberg, a research director at NSS Labs, said in an interview.
"That's where all the action is today for obvious reasons," he continued. "There are breach notification laws so businesses can't get out of doing it, and there's lots of data so the insurance companies are pretty confident what an incident is going to cost them to insure it."
It's not so easy, however, to calculate the cost to insure other risks, such as loss of reputation, intellectual property or network connectivity. "The actuarial data there is nowhere near as complete or refined as it is with the simpler breach policies," Braunberg said.
One insurer that has seen a recent bump in interest in its cyber liability offerings is Hartford Steam Boiler. It launched a data breach product in 2007 and a cyber threat offering this year. "We've seen steady interest in the data breach policy over time, but a renewed surge of interest in it over the last six months or so," Vice President Timothy Zeilman said in an interview.
"We've seen steady interest in the cyber threat product as well," he added.
That interest is being fueled by increased awareness in the market. "We're seeing, particularly in the media, coverage of cyber events, whether it be cyber espionage or high profile data breaches," Zeilman said.
Data breach laws have also contributed to increased interest in insurance. "Data breach coverages whole reason for being is the notification laws that exist in 46 states," Zeilman observed. "The purpose of those coverages is to help insureds bear the cost of complying with state notification laws."
In addition, the U.S. Securities and Exchange Commission (SEC) has issued guidelines suggesting public companies report cyber incidents on corporate filings. "It wasn't the watershed event that the insurance industry thought it would be," Zeilman said. "But it was one of many things that's led to higher exposure for this kind of insurance."
Sign up for CIO Asia eNewsletters.