- By 2025, the cyber insurance market is expected to reach $20 billion, according to research from CB Insights. Direct written premiums (DWP) hit $3.5 billion in 2018, but cyber premiums more broadly accounted for less than 1% of the U.S. property and casualty industry.
- For Chubb, the top U.S. cyber insurer, cyber makes up less than 2% of the company's overall DWP. Companies with expertise in the space, including Beazley and BCS, reported cyber DWP at 32.9% and 18.9%, respectively.
- CB Insights estimates 500 insurance providers in the U.S. offer cyber policies. The majority, 96%, bundle cyber into their commercial insurance products. Cyber is packed in beside property or liability policies.
As cyber matures, traditional insurers are cautiously approaching the issue and some are declining coverage altogether.
Traditional insurers are leaning on ambiguity to delay paying out claims on cyber policies. Now industry is seeing companies who have had cyberattacks legally pursuing carriers for refusing coverage.
Mondelez International is suing Zurich for failing to cover damages related to 2017's NotPetya attack. The policy in question was for standalone property damage and unspecific to cyber. The Chips Ahoy! manufacturer was collateral damage for the wiper attack, alongside shipping giant Maersk.
Because Mondelez was among a string of companies brought down by NotPetya during a "time of peace," the war exclusion Zurich is enforcing is conflated. The case is ongoing.
State Auto Property & Casualty Insurance lost a court battle after the insurer was sued by a customer, National Ink & Stitch, when it declined to replace a computer system fried by ransomware.
With uncertainty surrounding where coverage begins and ends, cyber-specific policies are gaining momentum. Cyber premiums increased by an average of 3% in Q4 2019, according to risk management and insurance broker Marsh. But less than one-fifth of companies say cyber policies fulfill all their needs.
Companies may unintentionally undercut their coverage during the underwriting process. Including the risk management team, outside advisors and coverage lawyers help weed through interpretation for the customer and carrier.
Traditional carriers are removing non-affirmative cyber risks from their products. If a cyber risk cannot be linked to a physical incident, insurers won't provide coverage.