Cyberinsurance is a $2 billion industry, but new research shows that experts disagree on whether it’s worth buying.

The insurance works essentially the same as any other type of policy. Companies pay premiums and file claims if they suffer a significant data corruption or loss ranging from simple equipment failure to complex malicious hacking. Lost devices, human error, and even September 11-style terrorism are all security issues for which modern businesses must prepare, insurance companies say.

Corporate CIOs, security specialists, and others are left to wonder whether the doom-and-gloom assertion is true or just salesmanship.

SEE: Security TV: Will cyber insurance change the security industry? (ZDNet)

Over at RAND, the Southern California nonprofit think thank, analyst Sasha Romanosky–an electrical engineer, computer security researcher, and public policy Ph.D.–plainly stated his viewpoint. “If I was a large business then I probably would want to buy cyberinsurance. For most companies it probably isn’t all that necessary.”

There are more than 70 companies offering cyberinsurance, but it’s only about 1 to 1.5% of the $200B insurance industry overall, Romanosky said, citing figures from his August 2016 report. However, he noted a dangerous side effect. Just as a football player may take risks because he feels protected by pads, “There’s this moral hazard issue. Once you’re insured you might stop taking the precautions, because why should you,” he said.

“[W]e estimate the total costs from cyber events at approximately $8.5 billion annually. We find that the typical cost of a data breach is less than $200,000, far lower than the millions of dollars often cited in surveys,” he stated. That’s far less than fraud involving billing, corruption, financial misstatements, retail shrinkage, he found.

Another question is whether owning cyberinsurance does anything to increase data safety measures. “Nobody really knows except for insurance companies and they are the only ones who have the data,” Romanosky explained. He said the insurance industry doesn’t seem interested in pursuing that research. He speculated that it’s because of the effort, simple lack of interest, or a variety of what he called “goofy institutional excuses.”

RAND itself owns cyberinsurance, Romanosky said, as the company would be a high-profile target for hackers and has 1,800 employees.

SEE: Special report: Cyberwar and the future of cybersecurity (free ebook)

NetDiligence, a cybersecurity risk management specialist outside Philadelphia, is known for its annual report on cyberinsurance claims. President Mark Greisiger is planning to publish the 2016 edition in the next few weeks and gave TechRepublic early access to the highlights. (Check out the 2015 NetDiligence report.)

The new report examines 177 cyberinsurance claims averaging $648,000–that’s down from $805,000 last year due to an increase in smaller and medium-sized companies making claims. The largest claim value was $6.6 million. On a per-record basis, the median cost is $41, and the average cost is $17,334 due to a small number of claims above $1 million per record, the report shows. Costs for crisis services are somewhat down, while costs from legal defenses and legal settlements fell sharply, also due to the increased percentage of overall claims by smaller businesses.

RAND’s Romanosky may be fighting a losing battle in advising smaller companies not to bother with cyberinsurance. An article in The Hill this week said Rep. Ed Perlmutter (D-Colo.) recently introduced legislation to subsidize data breach insurance and encouraged best practices to avoid having to use it. “The Data Breach Insurance Act would offer a tax deduction of 15 percent of the cost of breach insurance,” The Hill reported. “The insurance rebate would only apply to policies that required companies to enact good cybersecurity practices, like those in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.”