The number of US-based clients purchasing standalone cyber insurance increased 32% in 2014 over 2013, according to a report from insurance broker
Marsh.
The percentage of existing Marsh financial and professional liability clients that purchased cyber insurance over the same period was 16%, with early evidence in 2015 suggesting a continued acceleration in the demand for coverage for losses from data breaches and business outages.
The healthcare and education sectors took the lead in terms of take up rate, due to the large amount of attractive data held on students, workers and patients, at 50% and 32%, respectively, followed by hospitality and gaming (26%) and services (22%).
Meanwhile the sectors showing the most notable year-over-year increases in the number of clients buying coverage for data breaches and outages included hospitality and gaming (69%) and education (58%).
Marsh noted that the power and utilities sector stood out, with 47% more clients buying standalone cyber coverage in 2014 than 2013. Businesses in this sector frequently cite the risks and vulnerabilities associated with the use of supervisory control and data acquisition (SCADA) networks — which control remote equipment — and the cost of regulatory investigations as driving factors behind their cyber coverage purchases.
Insurance limits are also on their way up, as Marsh clients with revenue exceeding US$1bn purchased 22% higher cyber insurance limits on average in 2014 at US$34.1m, compared to US$27.8m in 2013. Financial institutions continued to purchase the highest average limits, followed by power and utilities firms and communications, media, and technology companies.
The report “Benchmarking Trends: As Cyber Concerns Broaden, Insurance Purchases Rise,” warned that insureds also face heightened due diligence from underwriters, that are now seeking to drill down beyond simple reviews of the company’s general information security policies and look at whether they have not just appropriate security technology in place but also formal incident response plans in place that outline procedures for protecting data and vendor networks and, more importantly, if such plans have been tested.
