There's a good reason why 2011 isknown among security professionals as the Year of the DataBreach.

The antics began in April, with a bold, high-profile data raidon Sony's Playstation Network database—and ended with hackersscamming credit-card details, passwords and home addresses from thesystems of intelligence-analysis firm Stratfor in December.

In between were breaches at the IMF, Citigroup, Lockheed Martinand several others. Health-care data breaches alone were up 32percent over 2010, says the Ponemon Institute. The diversity in thetypes of businesses targeted in the past year by online criminalsshows that not a single sector of business is truly safe.

"Most companies are coming in contact with or storing privateinformation, whether it's credit-card information, employeeinformation or HIPAA (Health Insurance Portability andAccountability Act) data, so they're at risk," says ThomasHerendeen, vice president of underwriting for PhiladelphiaInsurance.

Adds Steven Haase, president of INSUREtrust, a nationalinsurance wholesaler that focuses on emerging risks: "If you sawthe terabytes of data that hackers have already accessed, [you'drealize] they have all the passwords and IDs they need for the next10 years—they just can't get to [using] them all today."

PRICEY EXPOSURES SPUR POLICIES

Disclosure of private information exposes companies to liabilityfor damages, breach-notification costs and remediation. Businessesmust navigate breach-disclosure laws in 46 states, and companiesdealing with health-care records contend with HIPAA and its HITECH(Health Information Technology for Economic and Clinical Health)modification of 2009, which specifically addresses extra secrecyprotections for a person's medical data.

"You might be a relatively small company, but the liability youmight have through a breach could be significant," saysHerendeen.

How much liability? A study of paidcyber-insurance claims, compiled in 2011 by NetDiligence, reportedan average incident cost of $2.4 million.

However, the most recent annual study of data loss by thePonemon Institute—which took into account detection, notification,post-response and lost-business costs—puts the average full cost ofa data breach at a whopping $7.2 million.

RISING AWARENESS AMONG RISK MANAGERS

Eighty-six percent of risk managers say that cyber-securityrisks pose at least a moderate danger to their organization,according to a 2011 survey sponsored by Zurich.

Companies have also become more cognizant of third-partyliability arising from breaches at outsourcers and serviceproviders, particularly as the growing acceptance of cloudcomputing has moved more data beyond the walls of corporatecenters.

Ponemon reports that third-partymistakes now account for nearly half (46 percent) of data breaches,and data-services providers observe that their customers aren'tjust requesting SAS 70 or SSAE 16 audits (both of which offerassessments of a company's ability to protect sensitive data);they're taking the time to personally vet their vendor's securitypractices.

"Clients have become much more aware of their liabilitiesassociated with losing data," says Frank Mobley, CEO ofdata-center-services-provider Immedion. "They are asking us whereour responsibilities end and theirs start for protecting data."

As awareness of risk has increased, so has interest in CyberLiability insurance—the catch-all term for policies that deal withfirst- and third-party risks arising from information assets andcan include coverage associated with both electronic and physicalrecords.

"We brand our product as 'privacy protection,'" explains JimWhetstone, senior vice president and U.S. technology and privacymanager at specialty-insurer Hiscox. "We make the point that[coverage] is not just about the Internet and not just aboutelectronic data. It is for anyone dealing with sensitiverecords."

Haase says that INSUREtrust's Cyber Liability business increasedby more than 20 percent in 2011 alone, and he expects similar orbetter results in 2012. Philadelphia has grown its business indouble-digits over each of the past three years and predicts a 30percent increase in 2012, mainly due to first-time buyers.

Even so, only 35 percent of risk managers in Zurich's surveyreported that their companies carried Cyber Liability coverage—anumber that Philadelphia's Herendeen believes is actually high."The industry estimate is that less than 5 percent of accounts withcyber exposure are actually purchasing the coverage now," hesays.

As a result, Herendeen adds with someunderstatement, "There is a pretty large growth potential."

CARRIER COMPETITION HEATS UP

Given the perception that a huge amount of potential cyberbusiness is there for the taking, it should come as no surprisethat carriers are rushing to provide coverage.

"Three years ago, there were probably five or 10 main carriersfor this business. The latest estimate of the current capacity isthere are 30-plus carriers," says Herendeen.

"The cyber market is irresistible to insurers," Haase adds."It's almost like crack cocaine."

Increased capacity is being seen in higher primary limits aswell as the expanded ability to layer coverage.

"The largest players are putting up [as much as] $25 million.More underwriters are willing to put up $15-$20 million on primary,and we can build layers up to $300 million," reports Willis GroupExecutive Vice President Peter Foster.

"It's a buyer's market," adds Haase. "There are carriersfighting over these risks. There are always three to five carriersinterested in a particular account."

Most Cyber Liability policies include coverage for breach-noticecosts, business interruption and data restoration.

But as with any specialty coverage, especially newer ones, thereis a disparity among carriers in terms of included coverage and availableendorsements for events such as cyber extortion; breach ofcommercial information and nondisclosure agreements; intentionalacts; and domain-name infringement, to name just a few.

"The Cyber Liability insurance market is the 'Wild West' ofinsurance," observes Scott N. Godes, counsel at Dickstein ShapiroLLP. "It's worthwhile going through a policy with a fine-toothedcomb with someone who truly understands Cyber Liability."

As the risks become better understood, the market is trendingtoward broadening of coverage—which is good news for buyers. Yeteven with broader forms and aggressive pricing, underwriters ofCyber Liability are still finding such business profitable.

For instance, Haase reports that INSURETrust has generated just$30 million in losses on more than $100 million in premium sincethe company has been in the cyber business.

But underwriters don't expect these good times to lastforever.

"We've seen an increase in the number of paid claims,particularly with the HITECH modification to HIPAA," saysWhetstone. "The industry will eventually need to re-evaluate thecoverage, particularly as carriers just coming into the marketexperience some lessons learned."