Cyber Insurance: A Buyers' Market?

Although relatively few carriers offer cyber insurance, buyers can negotiate favorable terms when purchasing policies, two information risk management experts say.

"There are plenty of cyber insurers that will write [policies] and fit the needs of clients regardless of their risk profile," says Michael Bruemmer, vice president of consumer protection at Experian Consumer Services, which offers data breach response services.

In an interview with Information Security Media Group, Bruemmer and Mark Greisiger, president of risk management services provider NetDiligence, discuss the cyber insurance marketplace.

"I met with more than a half-dozen underwriters and they were complaining about how low, in fact, the premiums were because so many people were jumping in the market [to buy coverage]," Greisiger says.

Surge in Carriers

About 60 U.S. carriers now offer cyber insurance, up by one-third in the past two years, Bruemmer and Greisiger say. By comparison, about 1,000 companies offer property and casualty insurance.

The growth in the number of carriers offering cyber insurance reflects the increase demand, they say. A survey by the Ponemon Institute of 600 privacy and compliance officers, sponsored by Experian and published in October, shows that 35 percent of respondents say their organizations have cyber insurance, up from 26 percent in 2014 and 10 percent in 2013.

In the interview (click on player beneath image to listen), Bruemmer and Greisiger discuss:

Obstacles that have limited the number of carriers offering cyber insurance; The evolution of ransomware, a risk that cyber insurance typically covers; and Why cyber insurance carriers don't cover massive breaches that target critical infrastructure.

In addition to his role at Experian Consumer Services, Bruemmer serves on the Medical Identity Fraud Alliance Steering Committee, Ponemon Responsible Information Management Board and the International Association of Privacy Professionals Certification Advisory Board.

Greisiger has led NetDiligence since its inception in 2001 as a cyber risk assessment and data breach services company. Previously, he spent 12 years in the insurance industry, primarily with CIGNA P&C, where he helped created the first generation of cyber risk insurance.