Businesses can buy ‘cyberinsurance.’ Why can’t you?
Did you get a year’s worth of free credit checks because of the Target breach? Did you replace your credit card after Chase caught someone using its number to make unauthorized online charges? Did you have to wipe or replace your computer after contracting a nasty computer virus?
If you’ve fallen victim to a hacked account, malicious software, or stolen personal information—consumers’ top Internet-related concerns, according to the 2015 Travelers Consumer Risk Index—you might have googled the word “cyberinsurance.”
For businesses facing data breaches, computer viruses, and denial-of-service attacks, the stakes are high: They can quickly suffer damages to their earnings, customer base, and reputation. In efforts to safeguard themselves against financial losses resulting from such computer security threats, they are driving rapid growth in the industry.
“[T]he trends we’re seeing are attacks on businesses, which is where criminals stand to make out big.” –Dave Berg, global and U.S. cybersecurity leader, PricewaterhouseCoopers
About a third of U.S. companies already have some form of cyberinsurance coverage, according to a report PricewaterhouseCoopers released last year. And as global computer security incidents, estimated two years ago at nearly 43 million, are becoming more and more prevalent, the cyberinsurance industry is expected to grow threefold, to at least $7.5 billion, by 2018.
So far, as your Google results might have indicated, that growth has barely touched the consumer market.
“I have not seen or heard of a market selling cyberinsurance for the consumer,” says Dave Burg, global and U.S. cybersecurity leader at PwC. “There’s quite a bit of interest in purchasing monitoring services, like for credit card scores and other personally identifiable information, but nothing like what’s offered for businesses.”
Cyberinsurance providers, Burg says, are aware that hackers largely target their cyberattacks at corporations, not individuals.
“There are some botnet attacks that pop up, which are the consequences of consumers making mistakes on computers,” Burg says. Keyloggers, software that surreptitiously records your keystrokes, he says, “might capture their credit card numbers. But the trends we’re seeing are attacks on businesses, which is where criminals stand to make out big.”
Insurance companies also find that there are too many unknown variables in personal cybersecurity, says Dr. Robert Hartwig, president of the Insurance Information Institute.
“As a practical matter, it’s tough for insurers to understand how well you protect your computer—like whether you use antivirus software,” he says. “It’s also impossible for the insurer to verify what’s on your computer. You might claim that there’s very valuable information, should it be locked by ransomware, but there’s no way of verifying it.”
Cyberinsurance for businesses, not consumers
With businesses, on the other hand, the risks are more easily quantifiable, making them easier to insure, Hartwig says. Their information has known value—credit card information and medical records are easily sold on the black market, for example.
“Because businesses are responsible for the security of the data they hold, they’re liable for any adverse consequences that happen with a breach,” he says. “If they don’t keep their information safe and secure, they have liability. There are costs associated with alerting customers, lawsuits, reputation damage, experts to remove malware, and so on. It’s harder to quantify and value personal data, should an individual be compromised.”
Some insurance companies, while still shying away from selling consumers the types of cyberinsurance they offer businesses, are offering individual customers services related to cybersecurity.
Pure Insurance, for example, offers a one-day audit of an individual’s home network, starting at $1,500. For an extra $500 to $3,000 monthly, it will monitor an individual’s home computer network for intrusions. Pure also offers the option to buy a $2,500 “social-engineering assessment,” which analyzes how criminals might exploit their publicly available information.
Other insurers, including Nationwide, offer identity theft coverage. Nationwide’s program includes services like making required phone calls to creditors, banks, and agencies on your behalf; helping you replace documents; and providing up to $25,000 in recovery for expense reimbursement. Nationwide provides quotes for customers on an individual basis.
And others offer credit monitoring, Burg says. Farmers offers it as part of its Identity Shield program. For $65 per year, it monitors customers’ credit files and publicly accessible records for fraudulent activity; assists them in recovering from identity theft; and provides coverage for $28,500 in expenses.
Hartwig says some people may find these programs worthwhile, depending on how much they stand to lose.
“Identity theft, especially, is so commonplace today,” he says. “Things happen online in much of the same way a fire might happen in your house. Despite the steps you take to keep yourself safe, you could still become a victim.”
If you’re interested in monitoring or identity theft coverage, Hartwig says to contact your insurer first. It often can be added to your current policy.
“Generally, these services don’t cost a lot, and sometimes that’s worth the peace of mind,” he says.
Correction, March 24 at 11:47 a.m. PST: A previous version of this story misspelled the last name of PricewaterhouseCoopers’ Dave Burg.