A growing number of UK organisations are predicted to take out cyber insurance policies this year. So what's driving this uptake and are there any pitfalls IT leaders need to be aware of?
"They will be rubbing their hands in glee," says Ann Bevitt, head of law firm Morrison & Foerster's London privacy and data security group.
Bevitt isn't quoting the chief of MI6, Sir John Sawers, who claimed recently that whistleblower Edward Snowden's leaks would aid terrorists. Instead, she says, the ones who could reap the biggest rewards from the ongoing hysteria over mass surveillance, rising cyber threats and regulatory changes, are insurers.
But according to several top law firms, UK organisations are not yet insuring themselves against data breaches.
"In our experience, the vast majority have not insured themselves against such risk," says Vinod Bange, partner at law firm Taylor Wessing.
Indeed, Richard Cumbley, a partner at Linklaters, believes that cyber insurance policies are less popular now than they were three years ago.
"I have had clients report to me that they have found the exclusions of these policies so great that it doesn't make them very valuable; the premiums may be outweighing the losses recovered in the EU," he says. In other words, organisations found that their premiums were more than the payouts they received under their policies, when it came to making a claim.
This contrasts with the US, where a recent survey from security software firm Symantec found that data recovery costs are higher than in the EU and, therefore, perhaps current insurance policies are more skewed towards the US market.
US take-up of cyber insurance has been steadily growing as a result of security breach notification laws that have been enacted in most US states since 2002, Jamie Bouloux, head of cyber products and liability at insurer AIG, explains.
"US businesses became much more concerned about dealing with privacy and identifying issues around large datasets of their subjects going missing or being stolen [after the new notification rules came in]," Bouloux says.
AIG has been underwriting cyber insurance for 13 years, and a year and a half ago it rolled out the product across the EU, EMEA and Asia Pacific.
The timing couldn't have been better, with proposed EU regulations set to include fines for breaches of up to two per cent of global annual turnover - which could cost big corporations millions of pounds. For some, two per cent is not nearly enough.
"It is really scary for businesses in the EU because now there is talk of a fine [for data breaches] of up to five per cent of annual worldwide turnover, up from the two per cent that was stated. Either way it will make every organisation stop and think because that is huge, and this is likely to drive growth in insurance," says Bevitt.
AIG can see that growth coming as a result of the new regulation, just as it did in the US a decade ago.
The insurance would be a "secure safety net", Taylor Wessing's Bange claims, as firms will be more exposed and not be able to sweep incidents "under the carpet", which would in turn lead to reputational damage.
But Linklaters Cumbley argues that, for now, companies' compliance teams should focus on staff training rather than taking out insurance, as he believes most data breaches involve some kind of human failure.
Bevitt, meanwhile, argues that organisations must also raise awareness among employees of external threats from hackers or disgruntled former employees. "However good your policies are in minimising risks, it won't get around the significant risks that come from an external source," she says.
Does insurance lead to complacency?
AIG's Bouloux dismisses the notion that organisations that take out cyber insurance will use it as an excuse to relax their internal data governance practices.
"We've partnered with a company called Risk Analytics to offer internal training to clients around data security, data breaches, encryption, email safety and so on, so that if something happens when a client loses data, they can tell the regulator that they did everything within reason to try to ensure that there was an environment of security where its employees knew how to handle client information," he says.
"Being able to prove that they weren't negligent could save organisations millions in the long-run," he adds.