Insurance underwriting in general is complicated. Cyber insurance is even more complex to underwrite. The policy can change from month to month because of the fluctuating and dynamic natures of cyber risks. Unlike long-time established insurance plans, underwriters of cyber insurance have limited information to create risk models to evaluate insurance policy premiums, coverages, and rates.
Nowadays, any company can be threatened by a breach of the sensitive employee or customer data in this digital era. As technology becomes more advanced and complex, so do the risks of a data breach we face.
There are seven major sub-categories of cyber insurance that we want to cover in this article. Let’s dive into each.
According to Technopedia, “ Cyber insurance is a form of insurance for businesses and individuals against internet-based risks. The most common risk is data breaches. Cyber insurance typically includes indemnification from lawsuits related to data breaches, such as errors and omissions. It also covers losses from network security breaches, theft of intellectual property, and loss of privacy.”
During the late 1990s, the first cyber insurance policy was written to protect companies from being exposed to hackers who started to seek ways to benefit financially. As in the United States, such a policy started off to cover the online media companies’ expenses after a malicious cyberattack and errors in the data processing.
In the early 2000s, online media policies began to cover unauthorized access like computer viruses, worms, data loss, or network security. However, fines, penalties, rogue employees, and regulatory claims were excluded.
It wasn’t until the mid-2000s that cyber insurances started to provide coverage to both first and third parties. The updated policies started to provide coverages like network asset damage, cyber business interruption, and cyber extortion.
Fast forward to 2003, the California Security Breach and Information Act came into effect because the Federal Trade Commission reported that they have received more than 200,000 complaints of identity theft. The act requires a state agency or business to inform Californian residents once they have found an unauthorized person, who acquired their customers’ unencrypted personal data.
Many other states followed California’s lead and passed similar acts in the following years. It created profound impacts on the private sector. Cyber insurers adapted quickly to offer new coverages like regulatory defense, information security, IT forensics, and more.
But many coverages still had a small sub-limit in the late 2000s, because insurers were uncertain about the premiums of the new exposures in cyber risk.
Today, the number of insurers with stand-alone cyber insurance grew to more than 100. Huge data breaches and claims have become more common than ever. Even large companies like Adobe, eBay, LinkedIn, and more are no strangers to data breaches. In fact, data breaches are increasing with more than 4.1 billion records in the first six months of 2019.
In summary, the industry is changing constantly and cyber insurance will need to adapt rapidly to the market. And with the advancement in technology, insurers are able to introduce cyber insurance of different forms, better pricing, and new risk management services that can address different clients’ needs.
Coverage of Cyber Insurance
Cyber insurers offer coverage to traditional insurers, cloud providers, and internet service providers. The coverage plan can be customized based on the level of security position. The cyber insurers will normally ask the customers to do a self-assessment form, then arrange an onsite assessment and third party to perform a risk assessment on the customer information technology and cybersecurity level. The higher level of cybersecurity, the lower premium the companies have to pay. Basically, there are two types of coverage, first-party, and third-party coverage.
First-party coverage often provides reimbursement to companies to cover the costs of a cyberattack that negatively impacted their business. The coverage can be very specific or broad, depending on the companies requirements. For example, it can be as broad to include reimbursement for post-cyber attack costs like hiring crisis management consultants or negotiators to rebuild brand reputation and manage ransom payments, data recovery, and credit monitoring.
Third-party coverage covers the entities’ expenses incurred by their customers because of malware infections, data breaches, or other forms of cyberattacks in which the insured entity was at fault. Furthermore, they also offer benefits such as criminal reward funds, regular security audits, and post-incident public relations. Since the underwriting of cyber insurance is still in its early development, cyber insurers are collaborating with IT security companies to create their products.
Types of Cyber Insurance
Stand-alone cyber insurance closes the gaps in traditional insurance products of cyber exclusions. It offers a more comprehensive cyber coverage than an extension of an existing policy like professional indemnity or management liability insurance. Moreover, it covers mainly on a wide range of cyber risks and is developed to reduce company risk exposure by reimbursing recovery expenses involved after a cyber-related attack.
Cyber insurance can be also bought as a normal coverage added into a traditional insurance policy which is usually offered in a package with traditional insurance products such as general liability, professional indemnity, property, director and officer, crime, and more.
Silent cyber refers to potential cyber exposures in the grey areas of traditional insurance product coverage which may not implicitly exclude or include cyber risks. The lack of clarity often leads to misunderstanding and confusion about the coverage. As such, it became a key concern for insurers and industry regulators in the US and EU because claims disputes arose over cyber expenses implicitly stated in traditional policies.
Personal Cyber Insurance
Personal cyber insurance provides coverage to cover the costs associated with cyberbullying and identity theft. There is a wide variety of ways that cyberattacks can end up in a financial loss, from the theft of bank accounts details to payments extortion via anonymous online threat. In general, there are no two same personal insurance policies, and it is mainly being categorized into financial loss from fraud, home and personal protection, and extortion.
Market in General
The US accounted for about 80% to 90% of the global cyber insurance market, whereas the EU market accounts for around 5% to 9%. The introduction of the EU’s General Data Protection Regulation (GDPR) in May 2018 helps to increase the awareness of costs and risks associated with data breaches and it is very likely to further increase the cyber insurance demand in the EU. According to the research done by Allied Market Research, the global cyber insurance market was expected to grow from $4.85 billion in 2018 to $28.60 billion by 2026, recording a CAGR of 24.9% from 2019 to 2026. As of now, the most common types of cyber insurance coverage in the EU are for cyber extortion, business interruption, data restoration, brand reputation issues, and legal support.
The White House Council of Economic Advisers formulated a way to estimate the cost of cyberattacks by calculating how market prices react to firms that suffered malicious cyber attacks. They estimated that cyberattacks alone costed the US economy between $57 billion and $109 billion in 2016, which is equal to 0.3% to 0.6% of GDP. At the same time, US cyber insurance companies pay out around $356 million in claims to policyholders, but it is just less than 1% of the estimated losses. In comparison, 50% of losses were paid by insurers for natural catastrophes between 2015 to 2018.
In 2019, the premiums written in the cyber insurance market grew year over year by 11% to $2.25 billion. PWC estimated that the annual written premium of cyber insurance is set to increase from $2.5 billion to $7.5 billion by 2030. And the US cyber insurance market is dominated by the top 10 insurers who hold a majority market share offering package and stand-alone cyber insurance policies.
All insurance companies who underwrite direct insurance reported the use of models (Qualitative or Quantitative) for pricing purposes. The primary differences between the models are methodology, the complexity of the model, degree of specialization for cyber models, and the number and type of parameters included. And the majority of insurers depend on the use of qualitative models to price cyber insurance due to the lack of specialized tools and data. The European Insurance industry and the Occupational Pensions Authority prepared a report and listed factors to calculate the right pricing here. In general, cyber insurance is comparatively expensive to other types of insurance because of the uncertainties and risks associated around. It is estimated that cyber insurance coverage is six times more expensive than property insurance and three times more expensive than general liability insurance.
Cyber insurance is considered as a vigilant, vibrant, volatile, and immature product. Which is still comparatively expensive in comparison to other types of insurance policies. Here is a list we have put together for the current challenges of the insurance industry to launch cyber insurance products: :
- Cyber insurers are inexperienced in the cyber insurance market
As the cyber insurance market is new and developing rapidly, cyber insurers rely on a few indirect factors to underwrite insurance premiums. For example, creating questionnaires to evaluate the riskiness of customers, market estimations on the cost of cyberattacks, and policy details of other insurance companies.
The lack of legal precedent on cyberattacks issues affect the probability an insurer will have to pay during the data breach event. It will also affect how they should price the insurance premiums because of uncertainty. They also have to consider what is specifically covered and on how to standardize legal battles over fundamental issues.
Also, cyber insurers need to formulate a way to deal with the possibility of a large scale cyber attack. They may have to pay claims to all their policyholders at once like flood insurance. A better modeling of cyberattacks can enable the insurers to evaluate the interrelated risks. Thereby, creating enhanced cybersecurity practices and standards to prevent catastrophic attacks.
- Lack of general awareness and knowledge from decision-makers
Decision-makers of companies in general are lacking knowledge and awareness about cybersecurity. Thereby, making too little demand to seek for cyber and business expertise of ways to mitigate and prevent cyber risks. A lot of them also overestimated the coverage of their current insurance policy.
When a company suffers cyber attacks, they often play down the incident, thereby, reliable data is missing to be accounted for insurance underwriting. Insurers are incapable of distinguishing users of different risk types.
Some decision-makers will undertake actions that negatively affect the loss of probabilities after signing insurance contracts. The accumulation of under-evaluation will lead to a lack of market standards and tools to access risk.
- Advanced in hacking techniques
Hackers are constantly searching for new ways to invade the computer network that was being developed by the insurers. Furthermore, insurers depend a lot on customers having consistent risk profiles. But, the fast-evolving hacking techniques and strategies hackers used make it hard for insurers to access the real risk of a potential customer.
Emerging technologies to be aware of
The cyber insurance market is growing as fast as technology innovation. Technology can enhance business to be more streamlined and efficient, but sometimes innovation comes at a cost. Here are some of the technologies that are used and succumb to cyberattacks:
The Internet of Things (IoT) means a network of interconnected objects that are embedded with software, sensors, and other technologies for exchanging and connecting data with other devices or systems over the internet. The increased usage of such devices poses greater cybersecurity risks because of the immense amounts of personal and insightful data that are being collected. It can also be misused by hackers to overload networks, damage the equipment, and turn off important equipment for financial gain.
An autonomous car can sense its surroundings and operate without human intervention. One of the key concerns is the various electrical control units (ECU) in the car that are interconnected. For example, if hackers manage to gain access to the vulnerable electronic control units, they can play with the safety of the car by controlling its engine or break and cause accidents. Even more worrisome is that automakers source ECUs from many different sources, meaning no single-player fully understands the vehicle’s source code.
Cloud technology enables people to use online resources to store and share information in the virtual space. Large companies or SMEs are spending significantly on cloud services and it could open up to a higher risk of cyberattacks. Hackers will scan the internet for cloud servers that are vulnerable and without a certain amount of security measures, which hackers will use in turn to l carry out cyber attacks in the unpatched systems for financial gains.
Ways to combat cyber attacks
High profile cyber-attacks on companies like Yahoo and eBay have raised awareness of the increasing cyber threat in which it prompts businesses and the government to put more effort into strengthening defenses. Here are some ways to protect yourself from cybercrime:
Blockchain has been regarded as a way that has the potential to fundamentally change the insurance industry. It helps to reduce a company’s cyber risk by offering an unchanging, shared, and decentralized ledger. It reduces the risk of a network that can be compromised from a single source. Insurers also prefer companies that are utilizing blockchain technology by offering lower premiums due to the perceived higher cybersecurity levels.
Data encryption is a secure way to encode information and make it only can be decrypted and accessed by a user with the right encryption key. It allows companies to transmit vast amounts of confidential data from one network to another without being compromised. Helping businesses to maintain high levels of trust of its customers and also reducing penalties businesses need to pay for non-compliance.
While it’s important to set up a system to protect your business with cybersecurity, employees can be even more vulnerable to cyber-attacks. All employees should understand the right way to dispose sensitive information and have processes in place to change passwords on a regular basis. By investing in employee development and learning in cybersecurity, the chances of suffering from cyber-attacks will decrease substantially.
As demand and awareness continue to rise, it’s undoubtedly clear that cyber insurance will have a bigger market potential despite the challenges.
Cyber risks pose some of the biggest threats to companies nowadays. Companies cannot rely only on cyber insurance to protect themselves because it is still in its infancy and requires further development to better fit customer needs.
Therefore, companies should be aware of the cyber risks and proactively search for ways to mitigate and prevent cyberattacks from happening.
By the way, if you’d like to get some help on creating new cyber insurance products, let us know here. We’re more than happy to help!