Sony Pictures suffered an estimated $100 million in damages after a crippling hack by North Korea in 2014 over the release of the Kim Jong Un-targeting buddy-comedy movie “The Interview.” As a result, sensitive details of contract negotiations spread across the internet and troves of data disappeared. But the movie studio suffered almost no financial damages, its executive told Reuters, thanks to cyber insurance.
“The cost is far less than anything anybody is imagining and certainly shouldn’t be anything that is disruptive to our budget," said Sony chief Michael Lynton.
Four years after the Sony attack, experts say the size of the cyber insurance market has skyrocketed.
“Cyber insurance is a growth market for the industry today,” said Sasha Romanosky, an expert at the RAND Corporation, a private research organization. He estimated that the current market size is around $2 billion in the United States, which may seem like a small size for an industry worth an estimated $350 billion. Still, the cyber insurance market is expected to become a $10 to $15 billion sector in the next decade, according to Romanosky.
Roughly 30 percent of companies currently have some form of cyber insurance, Romanosky said, and that number is expected to grow. Everything from extortion expenses to clean up to breach notification can be included in policies.
Major insurance carriers also offer cyber policies for public sector bodies like governments, schools and utilities.
Romanosky said that a company is evaluated for their risk of being hacked when they receive cyber insurance, just like car or health protection. Customers have demanded a streamlined process to be evaluated for cyber risk, and as a result the industry has tried to move away from a tradition of onerous questionnaires.
The risk evaluation process could lead to greater cybersecurity, said Chris Wysopal, the chief technology officer at cybersecurity firm Veracode. He compared cyber protection to how fire insurance boosted safety because flame retardant products decreased risk and drove down premiums.
“Insurers are getting smarter and they are looking for basic security practices,” Wysopal said. “I have heard of companies getting turned down because their security practices are too immature, and that is a good sign.”
But judging a company’s cyber risk can be challenging.
“Insurers are proceeding cautiously because it is very difficult to predict cyber risk; it is a moving target,” said Sam Friedman, a researcher at consulting firm Deloitte. ”It is like bioterrorism because it could happen to anyone at any time. It is a large vista for companies to assess.”
The average limit for each policy is around $3.25 million Friedman said. Larger companies, like defense firms that have become a favorite target of Chinese hackers, have specialized policies that have outsized limits.
Most commercial insurers offer some type of cyber policy, and even companies who don’t purchase an explicit policy may still be covered through “silent protection,” which is standalone protection that is not specific to an incident.
While Friedman said cyber insurance margins are thin, he expects it to expand.
Cyber insurance “is marginally profitable for providers because companies like to sleep at night knowing that they are covered.”
This article was updated to change the average insurance policy limit from $750,000 to $3.25 million.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.