The cyber insurance market: $2.4B in premiums, 90% US-based though purchased by only 1/3 of US companies, and forecasted to double by 2020. Or maybe triple. Or grow to $20B by 2025. For a new and growing industry, size projection is difficult and prone to error. Government regulation could greatly affect the trajectory of the market; one Lloyd’s insurer has suggested that governments should cover cyber risks, because they’re too great for insurers. For an industry that can cover natural disasters and protect against a variety of criminal intentions, that’s a strong statement, but in the US cyber attacks may be covered by TRIA if they’re found to be part of a terrorist campaign.
With an average cost to a US company of $230 per compromised record—or a median of $20 and a mean of $956 — or $13 and $964, respectively — look, experts disagree sometimes—and more for certain industries, like healthcare, with specific additional fines, it’s not surprising that insurance companies surveyed by Advisen see 30% of insureds renewing coverage with higher limits. (Generally, one insured can carry at most $300M of coverage, usually from multiple insurers). Unfortunately, 39% of respondents to Advisen’s survey also said that coverage pricing was inconsistent, and that coverage terms were “all over the board.” Whether certain types of cyber attacks are covered by more general policies also varies widely. One homeowner’s insurance policy even offers cyber bullying coverage.
The types of coverage requested tend to follow trends in types of attacks: last year, fraud-based coverage was popular (e.g., phishing scams), and this year ransomware is taking off. Property damage and bodily injury are also beginning to be included in policies by insurers such as AIG, Aegis, and BRIT, as concerns grow over what hacking the internet of things (or your self-driving car) might mean for your life and limbs.Even so, comprehensively evaluating cyber risk is difficult in an area where the threat landscape changes so quickly. The NIST cybersecurity framework offers a baseline for insurers to evaluate customers’ systems, but when predicting risk means predicting what hackers around the world, as well as North Korea, are going to choose to target, tools like PRISM-Re and Bitsight are only relying on identifying patterns of malware distribution and botnet communication that they’ve seen before, not anticipating the other side’s novel moves.
Predicting that the cyber insurance market is going to grow is a safe bet. To take a better guess at who will be buying those policies, look at who is being victimized now (hospitals, power companies) and which industries are newcomers to digitization (agriculture, mining, construction, hospitality). Generally, the more tech-savvy an industry, the better a handle they have on security best practices, so savvy agriculture and construction businesses should be buying more cyber insurance in recognition of their blind spots.
The biggest elephant in the room is whether insurers are paying out on claims. One study found a median claim payout of $144,000 and a mean of $733,109, while typical claims ranged from $30,000 to $263,000.The median claim was $77,000, while the average (mean) claim was $674,000, indicating that when breach costs are high, they’re very, very high. So, those claim payouts mean that a normal-sized breach will be covered, while only catastrophic breaches will exceed insurance limits, right? Of 160 claims studied, 83% reported payout, but the average payout decreased 8% from the previous year, and has been decreasing since 2012. (Paid claims are around 90–95% for health insurance, 80% for homeowner’s insurance, so 83% sounds about right). A common benchmark — at least, a year or two ago — was that IT was 10% of an organization’s budget, and security was 10% of IT’s budget, or 1% overall. Those percentages are shifting upward as the cyber threat grows, but an economic argument for cyber insurance could be made by comparing the costs of a breach — by industry or business size — and the costs of cyber insurance. Cyber insurers may also be increasingly willing to pay claims when they’re able to recoup those costs by suing third parties that provided IT services to their insureds, as was the case in Travelers Cas. & Surety Co. v Ignition Studio, Inc (2015). Predicting that payouts will increase seems like a good bet also.
Join the conversation at Medium