Cyberinsurance Report. PHOTO: Cybercrime Magazine.

Cyberinsurance Report 2017

Cyberinsurance spending forecasts differ widely; cautious optimism for market growth through 2021

The Cyberinsurance Report — sponsored by Sera-Brynn — provides cyberinsurance trends, statistics, best practices, and resources for C-Suite executives, CIOs, chief information security officers (CISOs) and IT security teams.

John P. Mello, Jr.

Menlo Park, Calif. – Mar. 6, 2017

As concern increases over hacker attacks, companies are taking a closer look at cyber insurance as a means of cutting their losses from an assortment of nasty risks.

Data breaches alone averaged anywhere from hundreds-of-thousands to millions of dollars for an enterprise in 2016 — depending on the type, severity, and scope of a breach, and the size of an organization — and cyber incidents ranked third on the risk list for global businesses during the same period.

There are two ways to handle cybersecurity risks: mitigation and transfer. Companies need a mix of both but in the past, they focused on mitigation—intrusion detection systems; security information and event management software; and other kinds of technology.

“What a lot of companies are realizing now when they do cost-benefit analysis, it makes more sense to focus some of their efforts on risk transfer, which is why we think cyber liability insurance is going to be taking off pretty quickly,” says Rob S. Hegedus, CEO of Sera-Brynn, a global cybersecurity audit and advisory firm.

Hegdus isn’t alone in predicting rapid growth for cyber insurance. With only 10 percent of companies with cyber insurance today, there seems to be a lot of room for growth. The cyber market is growing by double-digit figures year-on-year and could reach $20 billion in the next two years, says Nigel Pearson, global head of fidelity at worldwide insurer Allianz.

“Growth in the U.S. is already underway as data protection regulations help focus minds, while legislative developments and increasing levels of liability will see growth accelerate in the rest of the world,” he adds.

Allied Market Research is a little less optimistic about the market size, however. It agrees that double digit growth will occur—28 percent CAGR— over the next six years, but expects the market to reach $14 billion by 2022.

U.S. Drives Sales

A lot of U.S. cyber insurance is actually written in London, which is the largest insurance market in the world. In 2016, the number of companies and individuals buying cyber policies jumped 50 percent and another purchasing surge is expected in 2017, according to the Financial Times.

“At Lloyd’s we are seeing huge cyber insurance uptake, and last year we introduced 15 different types of cover just for cyber, in anticipation of this demand rising in 2017,” Inga Beale, chief executive of global insurer at Lloyd’s of London, told the financial newspaper.

Although the U.S. market is expected to be a prime driver of cyber insurance growth—about 90 percent of worldwide cyber insurance premiums are paid by American businesses, according to Allianz—a new data privacy directive by the European Union will also fuel that growth. That’s because running afoul of those rules—called the General Data Privacy Regulation—carries some of the most severe penalties in the world: as much as four percent of a company’s annual worldwide turnover. Transferring some of that risk will be a priority, and cyber insurance will be a way to do it.

“The new directive will take us much more down the U.S. road, and the fines are potentially very substantial,” Nigel Brook, a partner at the law firm Clyde & Co., told the Financial Times. “It will be a massive boost to the UK cyber market.”

Good Deals for SMBs

Not only will businesses be buying cyber insurance, but more kinds of companies will be buying it, too, as more of them reassess their risks and hunt for transfer options.

Allianz points out that now sectors that handle large amounts of personal data—health care, retail, manufacturing, logistics and telecommunications—are buying cyber insurance, but that’s changing with the financial, energy, utilities and transport sectors seriously  considering buying it, too, because of increases in the risks they face from interconnectivity.

In addition, cyber insurance is starting to move down the economic ladder to small and medium sized businesses. The SMB market is drastically underserved, especially when you consider that 60 percent of SMBs go belly up after a data breach, according to Hartford Steam Boiler.

Hegedus notes cyber insurance can be very beneficial to SMBs, which often don’t have a lot of savvy about cybersecurity. “If your insurance agent doesn’t know cyber liability, then you need to find one that does,” he advises small business owners. “For a small business, it is much less expensive to transfer risk than to mitigate it. It’s also a lot less confusing so you get peace of mind a lot quicker.”

Better yet, insurers are hot now to get a toehold in the market. Steve Haase of INSUREtrust, an insurance wholesaler in Atlanta, told CPA Practice Advisor: “It’s a buyer’s market. Everyone is trying to grab market share.” That’s opening up some good deals for SMBs. An SMB with revenues of $3 million or less can buy coverage for about $1,000, according to INSUREtrust.

Catastrophic Event Looms

While there have been some very large data breaches, there really hasn’t been a truly catastrophic cyber event.

No giant corporation has gone out of business because of a data loss, business interruption or fatal damage to its brand. No data breach or network outage for a cloud service provider has knocked hundreds of companies off the Web. No attack on the Internet’s infrastructure has taken it down for a prolonged period of time— although the world got a taste of that with the DDoS assault on Dyn, which controls a big chunk of the Internet’s domain name system. No energy or utility company has failed to provide service to its users  because of a cyber attack.

And countries have thus far have limited their cyber antics to stealing information and trying to influence elections and not on attacking each other’s infrastructure.

A catastrophic cyber event could generate significant losses, maintains Allianz’s Pearson. However, he adds, at the same time it would also raise awareness and ultimately boost demand for cyber insurance.

Cyber Resilience vs. Cyberinsurance

Cybersecurity Ventures is cautious about sizing the cyberinsurance market beyond 2017.

“Insurers haven’t cracked the code on cyberinsurance yet – and that’s holding back the market” says Steve Morgan, founder and Editor-In-Chief at Cybersecurity Ventures. The total U.S. market for cyberinsurance is $3 billion at most right now, according to a Deloitte University Press report — and the U.S. is the biggest spender on cyberinsurance.

“Cyberinsurance policies are too murky and don’t cover organizations (of all sizes) against the total fallout resulting from a major hack” says Morgan. “Insurers are struggling to define exactly what constitutes a cyber attack, how IoT devices outside of an organization might play into policy coverage, and other complex issues. The idea of transferring risk to a third party is attractive, but the insurers aren’t completely there yet. We expect CIOs and CISOs to double-down spending on transitioning their infrastructures to the cloud and MSSPs, and other outsourced security help before they plow money into cyberinsurance. At the board level, there’s more focus on cyber resilience than cyberinsurance.”

Morgan says there’s a lot of hype around cyberinsurance market growth, but the insurers have a lot of educating to do before that happens – and they should prepare for prolonged sales cycles in 2017 and 2018. “The market is definitely growing, but nowhere near what some of the insurance firms are speculating.”

The wild card in the insurance picture, though, could be Europe’s General Data Privacy Regulation, which will affect anyone doing business with Europe. Companies will be investing more in technologies to protect their data to comply with that rule but as we have seen in the past, no technology offers perfect protection. With the penalties imposed by the GDPR potentially so devastating to a company, insurance, imperfect or not, may be seen as a worthwhile investment to calm directors and stockholders anxious about the consequences of a data breach and fire the market.

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.