Much like cyber terrorism, cyber insurance has recently had a growth spurt. Companies first started considering working with insurance companies to mitigate cyber incidents just before the new millennium. It was the late 1990s, and the threat of "Y2K" worried some organizations about coverage.
During the last twenty years, we have seen the cyber insurance market evolve from a very small, niche line of insurance into a widely offered safety net that more and more companies are purchasing.
The most recent Pricewaterhouse Coopers “Global State of Information Security” survey shows just less than 60% of companies currently have some form of a cyber insurance policy. The growth in the market has been driven by an increase in cybercrime awareness as well as new privacy and data protection legislation in the United States. The Insurance Information Institute (I.I.I.) reported a figure by Dr. Robert Hartwig, president of the I.I.I. and an economist of cyber insurance, to be a "$2 billion market but expects it to more than triple to $7.5 billion by 2020".
As the cyber insurance market has developed, it has become more than just an American-focused type of insurance and as noted by Allianz, we are currently seeing growth in the market across the globe. Historically, cyber insurance has covered data breaches and privacy issues. Companies would buy it in case they were hacked, and the insurance would help fray the costs associated with third-party liabilities, such as legal or regulatory costs. Allianz's Guide to Cyber Risk also recognized it additionally covers more immediate costs like implementing new security measures, paying for fraud monitoring for affected individuals, and public relations costs associated with the incident.
More recently, there has been a trend towards offering cyber insurance with the more immediate benefits of covering business interruption costs due to a cyber attack. As more and more businesses are run by computers and access to real-time data becomes an ever more valuable commodity, companies are at risk of losing vast sums of money if these systems go down for even a short period of time. This new wave of cyber insurance helps large companies transfer this risk to insurers. This type of insurance comes at a high cost to policyholders, however. Though premiums may be higher the commitment to cybersecurity products may be there. Cybersecurity Ventures has projected the 2017-2021 worldwide spending on cybersecurity products and services to be more than $1 trillion. As SC points out, knowing what the policy "does and does not cover" is important to know.
Going forward, the interconnected nature of the IoT and industrial technology is going to make cyber insurance policies more interesting. There is currently a gap in policies that will not cover physical damage caused by cyber-attacks. If for example, a cyber-terrorist hacks into Acme Corp., a Fortune 500 manufacturer of technology components, and manipulates their manufacturing lines causing them to overheat and start a fire in the plant, Acme’s current cyber insurance may not cover the physical damage caused in the attack.
The insurance company will pay to figure out how Acme got hacked and maybe cover the costs of business interruption, but the cost of building a new plant will fall on Acme. These examples show the immaturity of the cyber insurance market. As more companies realize the rate and ramifications of cyber attacks while concurrently coming to the realization that their current cyber safeguards are likely inadequate, they will be more likely to indulge in cyber insurance.
To read more about the potential future of cyber insurance and other trends, download the 2016 State of Cybercrime Report.
November 16, 2016