Cyber insurance is both opportunity and challenge—a chance to tap into a new profit pool and reach new customers, but also a challenge to assess, price and keep pace with a rapidly evolving risk.
It seems like every week there’s news of a new cyber attack. A Reuters story posits that Equifax’s 2017 data breach could be the most costly in corporate history (as of March 2018, the price tag was $439 million, with $125 million covered by insurance). Also in 2017, malware interrupted the business of a pharmaceutical giant, leading to an estimated $275 million in cyber claims. And it isn’t just the private sector under attack. After a $56,000 ransomware attack, the City of Atlanta paid nearly $3 million in recovery costs.
When it strikes, cybercrime can be expensive, and most companies are vastly underinsured. Analysts estimate the global standalone cyber insurance market to be worth $2 billion. That’s small potatoes compared to the $96 billion that Gartner forecasts for worldwide security spending in 2018, and a tiny fraction of Hiscox’s estimate for the annual global cost of cybercrime: $450 billion.
Cyber offers opportunities—and challenges
Earlier this year, Accenture published Explosive Growth: Insurance as a Living Business, which identified five areas where carriers can drive growth and gain market share. The second-biggest opportunity, by estimated new revenue potential, was in new risks that have emerged as a result of technological or other innovation. In total, the estimated value of these new risks is $111 billion. And the second-largest of the new opportunities (after new commercial exposures in auto insurance) is cyber insurance.
And just last week on PC360, my colleague Michael Costonis wrote that “the real hurricane for insurers could be in cyber insurance.” Right now, insurers could be described as revelers at a party, with cyber premiums fast rising. But the last call might be coming—soon. First, the 2017 Cost of Cyber Crime Study from Accenture Security found that the potential scale of cybercrime is rising: On average, it takes 50 days for an organization to resolve a malicious insider’s attack, and costs $2.4 million to address a malware attack.
Second, there’s the potential for very expensive claims, and as I’ll discuss in next week’s post, cyber insurance isn’t as rigorously priced as it ought to be. The increasingly global nature of markets means that if a large software or service provider were compromised, it could potentially affect businesses across geographies and industries. Consider that a 2017 report from Lloyd’s estimates that a major cyberattack could trigger $53 billion in economic losses, putting it on par with Hurricane Sandy in 2012.
Insurers are well aware of the potential cost of cyber exposure. In the US in particular, many have excluded cyber risk from general policies, and have shifted from packaged or bundled coverage toward standalone cyber policies. However, vague, the loose wording on policies and endorsements means that many insurers are still inadvertently covering cyber—what’s known as silent risk—and these risks are neither well understood nor appropriately priced.
Over the course of this blog series, I’ll look at the cyber insurance industry and answer some key questions. Where are the opportunities? What are the stumbling blocks? And how can carriers take a more proactive role in addressing such a rapidly shifting risk? I look forward to tackling these questions in the weeks ahead.