With data breaches now a mainstream business issue, a growing number of US firms are covering their risk by purchasing cyber-insurance, figures from broker Marsh USA have suggested.

Demand for cyber-insurance among the firm’s customers rose by a third during 2012 compared to a year earlier, the company said, with a particular spike in demand from the education and non-financial service sector.

The value of cyber-insurance also rose by a fifth to an average of $16.8 million (£11.2 million), with some organisations buying limits as high as $150 million and one reaching $200 million.

Communications and media bought the highest levels at an average of $33.4 million with the financial sector second at $26 million.

If such insurance burdens businesses with cost, at least cyber-liability rates rose only slightly  during the year, with increases just below three percent in the first half offset by a smaller fall in the final quarter.

“Underwriters have shown a greater interest in the information security practices and procedures of insured,” said Marsh’s year report.

“In particular, underwriters have focused on outsourced service providers, business associates, and other third parties with access to insureds’ (sic) confidential information.”

If widespread, this is an interesting observation because it could be an under-estimated pressure on firms to invest in security compliance beyond the traditional demands of auditors.

As cyber-insurance has come to be seen as necessary for some businesses, smaller and medium size businesses had started buying more cyber-insurance, Marsh also found.

“[Organisations] are beginning to view cyber security as a whole package, involving auditing processes, prevention techniques, mitigation and defence strategies and ultimately compensation should the worst happen,” commented Ash Patel of security firm Stonesoft.

“The amount of investment made against the collateral damage, for example, loss of reputation and drop in shareholder value, from an attack is a significant indicator of the huge importance organisations are now attaching to these processes.”

Last summer European Network and Information Security Agency (ENISA) said that the market outside the US remained badly under-developed, with only a handful of companies willing to underwrite such risk. That looks set to change.