Cyber risks are real and are constantly evolving with technological advances and pervasiveness. Whether individuals, small business or multi national—all might face a Cyber incident that can result in costly financial consequences. In times of heavy competition in classic insurance products and negative interest rate headwinds limiting returns from insurer’s bond portfolios, Cyber risk presents a major opportunity for the insurance industry. With annual growth rates of up to 100%, global Cyber insurance market size predictions for 2025 range between $ 10 to 20+ bn. However, at this time Cyber also presents a risk least understood by the insurance industry (and beyond).
Over the past 12 months I have seen a significant increase in client conversations about Cyber insurance on the demand and supply side. The following provides a brief summary of observations and recommendations for insurance companies and those that consider buying an insurance.
Does your organization need a Cyber insurance?
Unfortunately, whatever the size of your organization, make no mistake: You are at risk to fall victim to a Cyber attack. Regardless of your industry’s probabilities. You might be the actual target, the intermediary for some other target or just hit randomly/by accident. You might know immediately (e.g. ransomware) or only after a long time that something happened. It’s never only your organization’s information technology that is on the line. Your internal operations, reputation or customers can be affected as well. So there are first and third party liabilities you have to deal with over time.
Target, a U.S. retail company, incurred cost of around $ 260 M following its massive data breach. Its Cyber insurance coverage was capped at $ 90 M. That probably cost Target between $ 200,000 to 400,000 in annual premiums. For $ 0.5 to 1 million coverage organizations pay anything between $ 500 to 20,000 per year. Coverage beyond 100 million can be realized by combining multiple underwriters. Considering that the EU data protection regulation that was just passed includes fines up to 5% of global revenue / up to 100 M Euros and the above example, some organizations will consider coverage options beyond 100 M necessary.
Premiums for the same insurance liability coverage amount differ between industries and organizations because risks and Cyber defense vary. The premiums for two hospitals of the same size could differ by several thousands of dollars because one has a better Cyber defense than the other. A breach at a retailer could lead to an overall increase in premiums for all retailers. So before buying a stand-alone Cyber insurance, any organization should invest some time understanding its Cyber risks and defense. The insurer will do the same. Small and medium enterprises might find this challenging as they lack expertise or budget to hire experts. A lot of the information to conduct such an assessment is available online free of charge. The organization should also check its existing insurance portfolio as some commercial liability policies (e.g. crime, general liability) cover Cyber incidents.
There are over 60 Cyber insurance policies on the market. This number will increase further as more primary insurers rush into the market. As with any other insurance policy, it’s important to read the fine print and ensure exclusions are acceptable to your organization’s risk profile.
Coverage tends to include first and third party liabilities for all or any combination of the below:
- Fines and loss notice costs
- Data loss & recovery
- Errors & omissions
- Financial loss (e.g. bank account)
- IT remediation
- IT forensics
- Fines and penalties
- Law suits (arbitration/court case)
- Cyber extortion (e.g. ransom payment)
- Cyber mobbing
- Business interruption
- General crisis management & public relations activities
- Reputation damage
As part of the process, smaller organization will be asked to fill in questionnaires to obtain a Cyber policy. Larger organizations might be asked to have an external information security expert conduct a risk assessment / audit. This is always a sensitive issue because it can reveal a breach of the past or just feels uncomfortable opening up to a third party.
Similar to incident response retainers, Cyber insurance only presents another layer of a modern approach to an organization’s Cybersecurity and -risk management that should be on the radar of decision makers.
The multi-billion Cyber insurance policy opportunity
According to Marsh & McLennan, an insurance company, the stand-alone Cyber insurance market in the U.S. and Europe has experienced growth rates of around 20-30% for the past years while being a niche product for almost two decades. According to Fitch Ratings, a credit ratings and research company, financial institutions are purchasing the highest coverage limits, and education the lowest limits. Many markets remain in nascent stages. Many primary insurers or Munich RE, the world’s largest reinsurance company, consider Cyber policies a major opportunity to invest in given inflation adjusted premium growth rates of 2.8% for classic insurance products.
Entering the Cyber insurance market presents a challenge to insurance companies:
- They have a shortage of talent to design and manage the Cyber product as insurers compete with any industry and the public sector for Cyber experts that understand the commercial and technical requirements.
- Asking organizations to report Cyber incidents remains a challenge to government and other private bodies around the world. Accordingly, insurers lack solid data / risk models to properly price and understand the dynamic nature of Cyber risk which increases their exposure to financial loss. Moreover, historical data in information technology risk does not necessarily predict future risk. Insurers have difficulty building actuarial tables that allow them to understand the relationship between claim probability, payout amount and premium. In addition, given the global reach and general pervasiveness of Cyber, there are concerns about aggregation and severe Cyber event scenarios such as a power grid black out that result in uncontrollable financial losses of up to $ 71.1 bn for the insurance industry. This leaves many insurers concerned about entering the market at its current maturity level. Even credit rating agencies note that a massive growth in stand-alone Cyber coverage or accumulation of Cyber portfolios (including those Cyber risks hidden in other insurance products) would outweigh benefits and could lead to negative ratings. Lloyd’s considers Cyber the top five market risks in 2016.
- As a response to the unknown Cyber risks insurers raise premiums, play with deductibles, coverage limits, conditions and exclusions for their products. It is clear that the product they sold today is no longer the product it sells a year later. One major incident could also make renewals impossible or lead to a significant spike in the policy’s premium. Along these lines insurers are best advised to audit their existing coverage portfolios for Cyber clauses to fully understand their exposure to Cyber claims.
- Due to the challenge of attribution in Cyberspace, insurers have reduced chance of recovering financial losses by going after the initiators of, say malware or DDoS attacks that led to a claim.
- Insurers have difficulty managing the Cyber claims process as policies cover various events that result in activities of various parties (information security, law or public relation firms) that need to be coordinated and prearranged (pricing, SLAs, etc.). Many insurers tend to reach out to technology service and information security firms and their incident response units to provide rate cards in case of events. The issue here is that incident response units include highly specialized individuals that work at hourly rates of up to $ 500. They might be overqualified to solve some client issues. In order to maintain timely response SLA’s they usually request monthly retainer payments that insurance companies are not willing to pay to each firm in their Cyber claims support service portfolio.
- A lack of common language and change of meaning of Cyber incidents and the underlying causes over time. This could lead to law suits between policy holders and insurers.
- Products are not appealing to the small and medium enterprise mass market. Either clients do not consider themselves at risk or the premiums too expensive relative to their perceived risk exposure. Moreover, insurers have difficulty fully understanding the risk and appropriate counter measures of the mass market policy holders through questionnaires.
The fear of silicon valley and fintech startups
Given the lack of Cyber event data and general understanding of information technology, many insurers are concerned that companies such as Google and agile fintech startups will be in a better position to gather and analyze Cyber risk data, to eventually offer insurance products themselves. This is surprising as many large insurance companies have the budget to heavily invest in innovative products to build Cyber risk models. Companies such as Lloyds have already collaborated with other institutions to build reporting standard.
The first real-time insurance?
Given the dynamic nature of Cyber risk, classic product life cycles might put an insurance company at risk if it follows that model of fixed rates over longer periods of time. So a Cyber insurance policy could be designed dynamically on a day to day or even month to month basis. This is how it could work:
- The premium base differs per industry and client scenario on a daily basis based on underlying data of risks / recent Cyber events. That way underwriters do not sell a product to new clients with outdated premiums that do not match the underlying changes in the risk model. Furthermore, this would optimize the ratio of portfolio risk exposure to reserves as well as general returns for the insurer.
- Once a policy is sold, clients pay the premium on a monthly basis. If they have certain Cyber defense measures such as firewalls, antivirus software or a Security Operations Center, the premium can be lowered from the start. If they do so throughout a year or as a response to certain Cyber attacks, it can reduce their premium payment the following month. If there is a major Cyber event within a policy holder cluster, premiums could be increased as well to reduce claims exposure.
- To go a step further, insurance companies could design their Cyber policies like some investment products. See the figure above. Say a company would like to have a two year coverage. Premiums will be floating on a monthly basis based on the historic daily risk (Risk =R) in that month that then determine the premium at month-end (Premium actual = Pact). For a slightly higher premium, an increase or decrease can only happen in a certain corridor (Premium minimum (Pmin)/ Premium maximum (Pmax)) so that organizations have some planning horizon. Otherwise premiums can fluctuate beyond Pmax. Note that organizations might start with a Pact that is close or equal to Pmin if they have a low risk profile (a combination of Cyber defense and the type of business). Pact might as well drop below R as the policy holder might have taken quick measures to reduce their risk. In addition, insurers will not accept a Pact to that is too close to R as it would not allow them to build the necessary reserves and returns.
- Just like for your car insurance, insurance firms might be able to place monitoring devices in your network or on your endpoint(s) that allow them to quickly determine your Cyber risks. Of course this could be a tough sell considering recent research by PEW on auto insurance discounts and monitoring and the general preference of organizations to keep Cybersecurity incidents quiet.
Regardless of the data issue, the Cyber insurance market can be expected to mature as the market grows. So it presents an opportunity for the demand and supply side.