Cyber risks are real and constantly evolving with technological advances and pervasiveness. Whether as individuals, small businesses or multinational companies, we all face the threat of a cyber incident that can result in costly financial consequences.
As the insurance industry deals with heavy competition for classic products and negative interest rate headwinds limiting returns from insurer’s bond portfolios, cyber risks present a major opportunity. With annual growth rates of up to 100%, global cyber insurance market size predictions for 2025 range between $10 billion to $20 billion-plus. However, at this time cyber also presents risks little understood by the insurance industry.
Over the past 12 months, we at CSC have seen a significant increase in client conversations about cyber insurance policies on the demand and supplier side. The following provides a brief summary of our observations and recommendations.
Does our organization need a cyber insurance policy?
Make no mistake: Whatever the size of your organization, you are at risk to fall victim to a cyber attack, regardless of the industry’s probabilities. You might be the actual target, the intermediary for some other target or just involved randomly. You might know of the attack immediately (for instance, through ransomware) or only long after the initial event. And it’s not only your organization’s IT on the line. Your internal operations, reputation and customers can be affected as well. So there are first- and third-party liabilities you have to deal with.
How much does coverage cost?
As we outlined earlier, Target, a U.S. retail company, incurred costs of around $260 million following its massive data breach. Its cyber insurance coverage was capped at $90 million. That policy probably cost Target between $200,000 and $400,000 in annual premiums. For coverage of $500,000 to $1 million, organizations pay anything between $500 to $20,000 per year. Coverage beyond $100 million can be realized by combining multiple underwriters. This might be necessary considering that the new EU data protection regulation includes fines up to 5% of global revenue, up to 100 million Euros.
Premiums vary between industries and organizations (even for the same coverage) because risks and cyber defense vary. The premiums for two hospitals of the same size could differ by several thousands of dollars if one has a better cyber defense. A breach at a retailer could lead to an overall increase in premiums for all retailers. So before buying a stand-alone cyber insurance policy, an organization should invest some time understanding its individual cyber risks and defense. The insurer will do the same. Small- and medium-sized enterprises might find this challenging as they lack expertise or budget to hire experts. A lot of the information to conduct such an assessment is available online free of charge. Companies can also check their existing insurance portfolios, as some commercial liability policies (e.g. crime, general liability) cover cyber incidents.
What types of policies are available?
There are over 60 cyber insurance policies on the market. This number will increase further as more primary insurers rush into the market. As with any other insurance policy, it’s important to read the fine print and ensure exclusions are acceptable to your organization’s risk profile. Coverage tends to include first- and third-party liabilities for all or any combination of the below:
- Fines and loss notice costs
- Data loss & recovery
- Errors & omissions
- Financial loss (e.g. bank account)
- IT remediation
- IT forensics
- Fines and penalties
- Law suits (arbitration/court case)
- Cyber extortion (e.g. ransom payment)
- Cyber mobbing
- Business interruption
- General crisis management & public relations activities
- Reputational damage
As part of the process, smaller organizations will be asked to fill in questionnaires to obtain a cyber policy. Larger organizations might be asked to have an external information security expert conduct a risk assessment/audit.
Similar to incident response retainers, cyber insurance only presents another layer of a modern approach to an organization’s cybersecurity and risk management that should be on the radar of decision makers.
What is the industry opportunity?
According to Marsh & McLennan, an insurance company, the stand-alone cyber insurance market in the U.S. and Europe has experienced growth rates of around 20-30% for the past years while being a niche product for almost two decades. According to Fitch Ratings, a credit ratings and research company, financial institutions are purchasing the highest coverage limits; education organizations are investing in the lowest limits. Many markets remain in nascent stages. Many primary insurers and Munich RE, the world’s largest reinsurance company, consider cyber policies a major opportunity to invest in given that inflation adjusted premium growth rates of 2.8% for classic insurance products.
What are the challenges?
Entering the market presents a challenge to insurance companies:
- They have a shortage of talent to design and manage the cyber product as insurers compete with any industry and the public sector for cyber experts that understand the commercial and technical requirements.
- Asking organizations to report cyber incidents remains a challenge to government and other private bodies around the world. Accordingly, insurers lack solid data/risk models to properly price and understand the dynamic nature of cyber risk which increases their exposure to financial loss. Historical data in information technology risk does not necessarily predict future risk. Insurers have difficulty building actuarial tables that allow them to understand the relationship between claim probability, payout amount and premium. In addition, given the global reach and general pervasiveness of cyber, there are concerns about aggregation and severe cyber event scenarios such as a power grid black out that result in uncontrollable financial losses of up to $ 71.1 bn for the insurance industry. This leaves many insurers concerned about entering the market at its current maturity. Even credit rating agencies note that a massive growth in stand-alone cyber coverage or accumulation of cyber portfolios would outweigh benefits and could lead to negative ratings
- As a response to the unknown cyber risks, insurers raise premiums and play with deductibles, coverage limits, conditions and exclusions for their products. The product they sell today will not be the product they sell a year later. One major incident could also make renewals impossible or lead to a significant spike in the policy’s premium. Along these lines insurers are best advised to audit their existing coverage portfolios for cyber clauses to fully understand their exposure to cyber claims
- Due to the challenge of attribution in cyberspace, insurers have reduced chance of recovering financial losses by going after the initiators of, say malware or DDoS attack that led to a claim.
- Insurers have difficulty in managing the cyber claims process as policies cover various events that result in activities of various parties, e.g. information security company, law or public relation firms. Many insurers tend to reach out to technology and information security service firms and their incident response units to provide rate cards in case of events. The issue here is that incident response units are highly specialized and work at hourly rates of up to $500. They might be overqualified to solve some client issues, and in order to maintain response SLAs, they usually request monthly retainer payments that insurance companies are not willing to pay to each firm in their cyber claims support service portfolio.
- A lack of common language and change of meaning of cyber incidents and the underlying causes over time.
- Products are not appealing to the small and medium enterprise mass market. Either clients do not consider themselves at risk or they think premiums are too expensive relative to the perceived risk exposure. Moreover, insurers have difficulty fully understanding the risk and appropriate counter measures of the policy holders through questionnaires.
Do Silicon Valley and fintech startups pose a threat?
Given the lack of cyber event data and general understanding of information technology, many insurers are concerned that companies such as Google and agile fintech startups will be in a better position to gather and analyze cyber risk data and eventually offer insurance products themselves. This is surprising as many large insurance companies have the budget to heavily invest in innovative products to build cyber risk models. Companies such as Loyds have already collaborated with other institutions to build reporting standard.
The first real-time insurance?
Given the dynamic nature of cyber risk, insurance companies should be cautious using classic product lifecycles. A cyber insurance policy could be designed dynamically on a day-to-day or even month-to-month basis. This is how it could work:
- The premium base differs per industry and client scenario on a daily basis based on underlying data of risks/recent cyber events. That way, underwriters do not sell a product with outdated premiums that do not match the underlying risk model.
- Once a policy is sold, clients pay the premium on a monthly basis. If they have certain cyber defense measures, such as firewalls, antivirus software or a Security Operations Center, the premium can be lowered from the start. If they do so throughout the year or as a response to certain cyber attacks, they can reduce their premium payment the following month. If there is a major cyber event within a policy holder cluster, premiums could be increased to reduce claims exposure.
- To go a step further, insurance companies could design their cyber policies like some investment products. Say a company would like to have two-year coverage. Premiums could be set on a floating monthly basis based on the historic daily risk in that month. For a slightly higher premium, organizations could lock in an increase or decrease in a certain corridor so that organizations have some planning horizon. Otherwise premiums fluctuate more.
Regardless of the data, the cyber insurance industry can be expected to mature as the market grows, and it presents an opportunity for the demand and supply side.
Alexander Schellong is CSC’s General Manager Cybersecurity in Central & Eastern Europe, Italy and Turkey.