Cyber insurance does not get much attention when stories of the latest major cyberattack hit the headlines. But with the ever-increasing number of high-profile cyberattacks, 2016 may be the year cyber insurance finally takes the spotlight.
A fast-growing market
Currently, first-party insurance products cover losses associated with data destruction, denial of service attacks, theft and extortion. In addition, some insurers also cover incident response and remediation, crisis management, forensic investigations, data restoration and business interruption.
Both sides of the cybersecurity insurance market—businesses seeking policies and the insurance companies that sell them—are expanding rapidly, according to David Burg, global and U.S. cybersecurity leader at PwC. In fact, cybersecurity insurance is one of the fastest-growing sectors in the insurance industry.
"In part, this is because businesses understand that they can’t stop increasingly frequent and sophisticated cyberattacks, so they are purchasing insurance as a way to help mitigate the financial impact," said Burg. "Many see cybersecurity insurance as a new tool to help manage corporate risks."
A report last year from PwC forecast that the global cybersecurity insurance market will hit $7.5 billion in annual sales by 2020, up from $2.5 billion in 2015. And more companies appear to be buying cyber insurance.
PwC’s annual Global State of Information Security Survey showed solid year-over-year growth in the number of companies that purchased cybersecurity insurance. In 2015, for instance, 59% of global respondents said they had cybersecurity insurance—up from 45% just two years ago.
The market is more mature in the U.S., where 63% of survey respondents said they had purchased policies last year.
Concrete numbers on cyber insurance are harder to pin down. The National Association of Insurance Commissioners (NAIC) is currently collecting cybersecurity and identity theft insurance data for 2015. An NAIC spokesperson explained that right now data is only collected via surveys by companies like Advisen and some of the brokerage firms.
Once insurers file cyber insurance information, NAIC will have a better idea of the amount of cybersecurity and identity theft insurance that insurers are writing, according to the spokesperson.
Because cyber insurance is a comparatively new insurance product, insurers are still working to determine best practices, including how to price policies appropriately.
"Insurers are challenged by limited historical data on the financial impact of cybersecurity incidents," Burg said. "This makes it difficult to estimate probabilities and costs of loss, and determine appropriate premiums. But as more businesses continue to share information about cybersecurity threats and incidents, insurers will have access to a broad scope of data that can help them make these decisions."
Cyber insurance can present challenges for business as well. The choices can be confusing, leaving companies unsure what to select in order to ensure they have appropriate coverage.
"A challenge for many businesses is the fact that there’s no one-size-fits-all recommendation for buying cybersecurity insurance," said Burg. "The right policy will vary by company size, industry sector, type of data stored, maturity of security controls and individual risk tolerance."
Yet, Burg said, cyber insurance is a worthwhile investment for most businesses for a number of reasons. First, cybersecurity insurance is a useful tool to help companies manage risks and mitigate the financial losses of cybersecurity incidents. Second, most insurers require a thorough assessment of current capabilities and risks as a precondition to purchasing a policy, and that can help companies better understand their cybersecurity capabilities.
"These evaluations also can help businesses better predict legal and regulatory exposures, costs of response and potential brand damage related to cybersecurity incidents," said Burg.
But Burg also warns that businesses should understand that they cannot insure for all financial losses caused by cybersecurity incidents.
"Damage to a company’s reputation or brand, for example, isn’t covered by most insurers," Burg said. "Businesses also need to carefully scrutinize policies for any exclusions that the insurer will not cover."
NAIC agrees that cyber insurance can be a worthwhile investment for a business if it is used as a part of their risk management process. And because cyber threats continue to grow, NAIC’s spokesperson said, it is likely the market will continue to grow as well.
In some industries and financial services in particular, cybersecurity insurance may soon even become a regulatory requirement, Burg said.
"The SEC has said that businesses should be prepared to disclose and describe relevant cybersecurity insurance coverage," said Burg. "The New York State Department of Financial Services is expanding its IT examination procedures to include cybersecurity insurance coverage. And as cybersecurity insurance becomes increasingly mainstream, organizations could face pressure from business partners, suppliers and customers to purchase policies."