Many businesses purchase insurance policies hoping they never have to use them. Unfortunately, that hasn't been the case with cybersecurity insurance.
A recent Wells Fargo survey of 100 U.S. middle-market and large companies found that 85 percent say they have purchased cyber and data privacy insurance, while 44 percent have already filed a claim as a result of a breach.
The report didn’t look into the total cost of the claims but a recent study by NetDiligence pegged the average claim for a large company at $4.8 million.
And how much do companies pay for cyber insurance? The cost of a policy depends on a variety of factors including the type of business, volume of records (personally identifiable information, protected health information, credit card data) and the organization’s security controls.
"Network security and privacy liability (aka 'cyber') is one of the most subjective lines of insurance, meaning that the underwriter has significant flexibility when pricing the risk," Dena Cusick, national practice leader with Wells Fargo Insurance’s Technology, Privacy and Network Risk National Practice, told NBC News by email. "The premium can be as low as $750 for a small, well-managed organization and well into the seven figures for large organizations with significant volumes of data."
With corporate data breaches popping up in the news seemingly nonstop, the report said most large businesses now believe cyber risks are greater than other insurable business risks such as natural disasters and fires. Yet, it found that many businesses that purchase cyber insurance aren’t testing their plans, don’t have incident response guidelines and haven’t adequately trained their employees about cybersecurity and data privacy.
Meanwhile, the rise in cyber claims filed is also driving up insurance rates.
Average cyber insurance rates for retailers jumped 32 percent in the first half of 2015 alone, after staying flat in 2014, according to insurance brokerage Marsh & McLennan Co.
"The market for network security and privacy liability is definitely hardening due to the increase in claims, success of the plaintiff’s bar with regard to class-actions and the increase in data privacy events overall," Cusick said.