Do Individuals Need Cybersecurity Insurance?

By Priya Anand

How much cybersecurity do you really need?

Data breaches at banks, health-care providers and government agencies have led companies to invest more in security programs. Now, security providers are pitching business-style protection to consumers.

Many homeowners’ insurance policies include identity-theft coverage, which typically includes access to credit monitoring and a case manager who can help victims clean up the mess. But some companies are taking consumer cyberprotection a step further, offering home-security audits and checking whether computer systems are hack-proof. The pitch is that individuals with investments and sensitive data they access on home and mobile systems may be more vulnerable than they think.

Avivah Litan, a security analyst at Stamford, Conn.-based Gartner Research, says these services could prove more valuable than identity-theft insurance, which does little to prevent fraud from actually occurring. She says people with several million dollars in investible assets should consider what safeguards their banks and brokerages have in place and weigh the cost of extra protection against potential losses.

“You have to put a price tag on your risk,” Ms. Litan says. “How much of a drop can you afford?”

Weighing the odds

Pure Insurance, a White Plains, N.Y. policyholder-owned company, began offering a “CyberSafe Solutions” program in June. Through a partnership with Concentric Advisors, a Kirkland, Wash.-based cyber- and personal-security firm, the insurer provides a one-day audit of home networks starting at $1,500. For another $500 to $3,000 monthly, it will monitor a client’s home-computer networks for intrusions. Clients also can buy a $2,500 “social engineering assessment,” which analyzes how criminals could exploit publicly available information on a client.

Martin Hartley, Pure’s chief operating officer, says the program was launched after the insurer started receiving cyber-related claims, including one in which an intruder hacked into a client’s email and ordered the client’s personal assistant to transfer $115,000 to a Florida account. He says the bank declined to reimburse the amount since an authorized user—the assistant—had approved the transaction.

Rick DeGolia, the mayor of Atherton, Calif., says he has signed up for a security audit of his home networks and devices from Pure. He says he considers the chances of someone hacking into his accounts and stealing funds to be greater than the probability of a natural disaster destroying his home. “You wouldn’t buy a house without homeowners’ insurance,” he says. “I’m more worried about this than I’m worried about a fire.”

Still, not everyone who thinks they need extra protection does, saysScott Johnson, a former Secret Service agent and founder of Trailblazer International, a cybersecurity and executive-protection firm in State College, Pa., that charges $250 an hour for consulting and $7,500 to spend a week cracking a client’s network to identify weaknesses “Some people are just paranoid.”

Who needs it?

So how can consumers determine if they’re candidates for extra cybersecurity? Here are a few things to consider:

Does a service offer protection beyond what I’m already getting?Individuals who keep most of their money in bank checking or savings accounts and use credit cards generally are at less risk, Gartner’s Ms. Litan says, because banks and credit-card issuers typically offer protection against liability for fraud. People with investment accounts should ask advisers and brokerages whether they offer written guarantees that clients will be made whole after a breach. Just 15% of broker-dealers and 9% of advisers have such written policies, a Securities and Exchange Commission survey found.

Investors also should investigate what checkpoints firms have in place before they will transfer funds, Ms. Litan says.

How much do I have to lose? For people with several million dollars’ worth of liquid and investible assets, the cost of extra security would be negligible and probably “worth it,” Ms. Litan says. But even if they have less money, any loss might feel painful, so people should make sure their funds are protected either by the Federal Deposit Insurance Corp., which protects deposits in checking, savings and money-market accounts, or a written policy from the investment firm, she says.

Do I handle valuable financial data or intellectual property? A company executive or the founder of a startup who accesses financial or other sensitive information on a personal device or home computer may be a target. The concern is that hackers may target these types of individuals for their intellectual property or company details, and then make away with personal information while worming through their networks.

Ms. Anand is a reporter for MarketWatch in New York. She can be reached at [email protected].