Organizations already have a long list of insurance policies—for automotive accidents, healthcare, natural disasters, fire and water damage—and adding a policy to cover security incidents make sense from a risk management perspective. And the numbers show that the cyber insurance market is growing rapidly. Direct cyber insurance premiums grew to $2 billion last year, up 26 percent since 2015, Moody’s Investors Service said in a recent report.
Cyber insurance is still in the early stages though, as it represents less than 1 percent of premium insurance revenue in the U.S., Moody’s said. There are about 40 insurance groups in the US offering cyber insurance as a stand-alone policy, but the biggest players are Chubb and Axa SA, accounting for 16.3 percent and 12.8 percent of the market.
“Growth prospects for cyber insurance are promising given the changing nature of the risk, the pervasiveness of technology, the value of insurance as a risk management tool and expanding regulation, all of which are driving demand for coverage,” said the Moody’s report.
Insurance Makes Sense
The costs of an incident can be substantial. The White House said the 2017 NotPetya attack caused $10 billion in damages. Municipalities around the United States are looking at ransomware demands in the hundreds of thousands of dollars. The debilitating ransomware attack in Baltimore has already cost the city $18 million. Equifax set aside $690 million last quarter to continue dealing with its massive 2017 data breach (before it reached a settlement agreement with the FTC).
Cyber Insurance is most common in the education, hospitality, and retail industries. They are less common in healthcare and financial services. Lower levels of government—such as municipalities—are also taking cyber insurance. When officials in La Porte, Indiana, agreed to pay the $130,000 ransomware fee, $100,000 was covered by insurance. The ransomware bill for Lake City, Florida was about $470,000, but the city had to pay only the $10,000 insurance deductible and let the insurer take care of the rest.
It’s not just recovery and repair costs. Regulators are increasingly empowered to impose heavy fines. European regulators slapped British Airways with a $230 fine under the General Data Protection Regulation. The New York Department of Financial Services’ Cybersecurity Regulation lays out stringent security requirements on financial services organizations, although it isn’t really clear yet how high potential fines can go.
“The proliferation of new rules around the globe has boosted demand for cyber insurance, but also has raised questions and uncertainty around the scope of insurance coverage,” Moody’s said in its report. “[C]yber insurance policies generally cover losses related to data breaches, but it remains unclear whether they will be able to cover losses related to fines.”
Cyber is Risky to Insure
The demand is clearly there for cyber insurance, but offering stand-alone security-related policies is a risky proposition for some insurance providers. None of the traditional rules of insurance apply. For instance, the insurance industry relies on historical data to model trends and figure out what incidents are likely and how to cover them. Health, automotive, and natural disaster insurance have lots of different data points and years of historical data to figure out risk.
Those data points currently do not exist with cyberattacks. Attacks tend to be distinct events, so studying past attacks doesn’t help figure out where the next attack will hit. How attacks disrupt businesses are also different, so the impact is harder to measure. There are specific things to look for and measure in terms of risk and cost when looking at a car crash, but that isn’t really possible with a cyberattack. future . Past attacks don’t provide indicators of where future attacks will hit next, or what they would look like.
“Potential risk accumulations are another challenge because the same event can affect multiple clients, particularly as companies move to cloud computing,” Moody’s wrote in the report.
Insurance companies are balancing their risk by putting in exclusions and working with reinsurers, providers that back other insurance companies. Some may be reconsidering being in the cyber insurance market altogether. NotPetya was an eye-opener, because the swath of destruction the malware cut through enterprise networks was not something anyone could have foreseen J. Eric Smith, president and CEO of Swiss Re Americas, one of the major reinsurers in the world, said at the recent International Conference on Cybersecurity at Fordham University.
Until insurers can improve their understanding of which attacks are likely, they can’t write policies properly. And the exclusions will continue to trip up enterprises. Mondelez international sued Zurich Insurance after the insurer declined to pay the food giant’s claim after NotPetya because the malware outbreak fell under the “war exclusion” clause Merk has filed similar lawsuits against 20 insurers. It will take years for the courts to resolve the question of how exclusion clauses work for cyber insurance policies.
“Unique difficulties remain for underwriting cyber insurance,” Moody’s said. “A lack of uniform policy wording and the evolving nature of risk constrain the growth of cyber insurance as a separate product.”