Chubb Group's move to expand its CyberSecurity insurance programs highlights the fact that IT security risks are finally being recognized in more traditional risk mitigation arenas.

Last week’s news from the Chubb Group that it has broadened its efforts to help organizations protect themselves against potential cyber-attacks and electronic data theft signifies a growing institutional recognition of the harsh realities of today’s computing environment. While the market for cyber-insurance remains largely nascent, with most private sector organizations still unable to adequately safeguard their financial and operational well-being against a major breach or outage of IT services, Chubb’s introduction of its newest commercial risk mitigation programs represents an encouraging step forward. With the creation of more realistic cyber-policy pricing levels and insurance programs that better address the technological and economic complexities facing today’s organizations related to theft of electronic records and intellectual property, it’s finally becoming more practical for people to attempt to prepare for the potential fallout of major incidents. It’s specifically encouraging to see insurance carriers making a good faith effort to launch policies that more accurately calibrate the economic impact of electronic data breaches as it has become increasingly clear that in the aftermath of such events many businesses suffer an array of financial hazards – ranging from regulatory fines and customer churn, to other immediate and long-term revenue risks. At the same time, there’s still a critical shortcoming in the ability of insurers to closely predict the size and scope of these losses, creating an environment wherein coverage is improving but limited in its ability to allow organizations to comprehensively address their overall financial exposure.

A Promising Future for Risk Mitigation The cyber-insurance market is currently sized at roughly $450 million in annual sales, which is not insignificant, but pales in size comparative to more mature areas of institutional risk mitigation. I would predict that with the launch of programs such as Chubb’s expanded CyberSecurity services, this number will grow exponentially over the next few years as other carriers move to take advantage of the opportunity and customers are presented with more attractive alternatives. It’s also my firm belief that cyber-security should be attached directly to traditional directors and officers (D&O) coverage as executive leadership increases its situational awareness related to the dangerous realities of the current computing environment. In its announcement, Chubb specifically highlighted the growing willingness of financial institutions to invest in these types of insurance programs that seek to help prepare for the day when attackers are able to bypass their IT defense mechanisms. However, it’s clear that the efforts of the cyber-crime underground now reach far beyond the banking and securities trading markets, with attacks proliferating across nearly every vertical industry imaginable.

As Chubb noted, work by researchers at Verizon, among others, has shown that companies of all sizes and business models are enduring a near-constant barrage of attempted attacks, and annual surveys conducted by experts including Ponemon Institute have found that as many as 85 percent of all organizations have experienced one or more electronic data breaches in the last year alone. Operational risk and reputational risk have metastasized due to the deployment of information technology and as a result other sectors will also move to find additional protections that allow them to continue to expand their use of technology without further imperiling their economic wellbeing. "A company's existing policy most likely will not help protect against these data security exposures or may only offer protection for specific exposures, leaving gaps in their coverage," Tracey Vispoli, Chubb's global cyber-solutions manager, said in a summary of the carrier’s new programs.  Those assessments ring true for most organizations today, but as we see growing awareness of IT security risk and further development of practical cyber-insurance policies I feel confident that improvements in this arena will be realized as other companies follow Chubb and its customers’ lead.  It’s worth noting that Core’s Security’s unique partnership with Chubb allows proactive organizations who use CORE IMPACT Pro to assess their IT security exposure to receive a 10 percent premium discount from Chubb on its’ CyberSecurity Programs. Now that’s truly comprehensive protection.