The increasing use of and dependence on information technology in economic activities – while creating significant benefits in terms of productivity and efficiency – is also leading to significant risks. Among them are “digital security risks” which, when they materialise, can disrupt the achievement of economic and social objectives by compromising the confidentiality, integrity and availability of information and information systems.
The World Economic Forum defined two technological risks related to digital security: (i) “large-scale cyberattacks”, defined as “large-scale cyberattacks or malware causing large economic damages, geopolitical tensions or widespread loss of trust in the internet”; and (ii) “massive incident of data fraud/theft”, defined as “wrongful exploitation of private or official data that takes place on an unprecedented scale.”
More data is being generated each year than in the whole of recorded human history, yet data security hasn’t kept up. Further, the IoT is growing at such a rapid rate, companies have a huge influx of data to comprehend. It’s thought as much as 2.5 quintillion bytes of data is being generated by the technology each day, according to IBM. In a world that’s become increasingly virtualized, data loss affects everyone and every action online and off. Advancements in information technology (IT) have raised concerns about the risks to data associated with weak IT security, including vulnerability to viruses, malware, attacks and compromise of network systems and services.
The incidences of data breaches are increasing in magnitude each day, globally. The observers of data security and cyber-threats have predicted that cybercrime costs will grow by 15 percent globally in the next five years. Cyber incidents, such as privacy breaches, denial-of-service attacks, cyber-fraud and cyber extortion, can lead to a number of different types of losses for affected companies. There have also been a few examples of physical damage and disruption resulting from cyber-attacks. The estimated cost for these cyber-security breaches is likely to reach $10.5 trillion annually in 2025. As per the data available on Statista, 155.8 million individuals were affected by data exposures in the US in 2020.
The data breaches, which are the result of planned cyber-attacks, have skyrocketed amidst the pandemic. From private companies to governments, hackers do not spare anyone. Cyber threats like these not only pose a threat to the data or put the companies at risk of ransoms, but the organization’s reputation is also on the line concerning consumer trust. Thus, the cost of such attacks is high and not just in monetary terms. Yet, breaches go undetected for months, despite billion-dollar investments in products.
Because the cyber-insurance market in many countries is relatively small compared to other insurance products, its overall impact on emerging cyber threats is difficult to quantify. As the impact to people and businesses from cyber threats is also relatively broad when compared to the scope of protection provided by insurance products, insurance companies continue to develop their services.
As insurers payout on cyber-losses, and as cyber threats develop and change, insurance products are increasingly being purchased alongside existing IT security services. Indeed, the underwriting criteria for insurers to offer cyber-insurance products are also early in development, and underwriters are actively partnering with IT security companies to develop their products.
Insurance coverage for cyber risk provides a means for companies and individuals to transfer a portion of their financial exposure to insurance markets. Insurance markets and companies can potentially contribute to the management of cyber risk by promoting awareness, encouraging measurement, and by providing incentives for risk reduction.
As well as directly improving security, cyber-insurance is enormously beneficial in the event of a large-scale security breach. Insurance provides a smooth funding mechanism for recovery from major losses, helping businesses to return to normal and reducing the need for government assistance. Finally, insurance allows cyber-security risks to be distributed fairly, with the cost of premiums commensurate with the size of expected loss from such risks. This avoids potentially dangerous concentrations of risk while also preventing free-riding.
Most people believe that only large-scale industries, such as banks and credit card companies, need cyber security insurance. However, any electronic information such as your name, email, contact number, financial records, medical records, payment information, government documentation, etc., stored in your personal devices can be easily and quickly hacked by a genius hacker.
While not a substitute for investing in cybersecurity and risk management, insurance coverage for cyber risk can make a significant contribution to the management of cyber risk by promoting awareness about exposure to cyber losses, sharing expertise on risk management, encouraging investment in risk reduction and facilitating the response to cyber incidents.
Cyber Insurance policies
Cyber-insurance is a specialty lines insurance product intended to protect businesses, and individuals providing services for such businesses, from Internet-based risks, and more generally from risks relating to information technology infrastructure, information privacy, information governance liability, and activities related thereto. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products.
Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.
Cyber Insurance Market
The global cyber insurance market size in the post-COVID-19 scenario is projected to grow from USD 7.8 billion in 2020 to USD 20.4 billion by 2025, at a CAGR of 21.2% during the forecast period. The major factors driving the market include the increasing number of sophisticated cyber-attacks amplifying the fear of financial losses, and growing need for compliance with various upcoming regulations.
Amidst the COVID-19 pandemic crisis, various governments and regulatory authorities mandate both public and private organizations to embrace new practices for working remotely and maintaining social distancing. Since then, the digital ways of doing business became the new business continuity plan (BCP) for various organizations. With the widespread use of BYOD device, WFH trend, and internet penetration across the corners of the globe, individuals are progressively inclined towards the use of digital technologies, driving the need for cyber insurance measures for protection against the aftermath of cyber-attacks. Cyber insurance solutions enable organizations to ensure business continuity and maintain their security postures from the threat of cybercrimes and malicious threat actors.
Surge in mandatory cybersecurity regulations and legislations regarding cybersecurity to boost demand for insurance protection
The government regulatory bodies and law enforcement agencies worldwide have taken numerous initiatives to tighten data security and protection. With the advent of COVID-19, the need for a cyber insurance policy has been realized by policyholders, brokers, insurers, and agents.
For example, in February 2020, the Californian assembly introduced a bill to make cyber insurance mandatory to process regulated and protected personal information for all state contractors. The rise in data privacy laws such as the Personally Identifiable Information (PII) and the Health Insurance Portability and Accountability Act (HIPAA) in the US, the global standard, Payment Card Industry Data Security Standard (PCI DSS), and the European Union’s (EU) General Data Protection Regulation (GDPR) are persuading insurance providers to focus on cyber insurance measures. The increasing digitization has led to a tremendous growth in the rate of cyberattacks, more so during the COVID-19 pandemic. Hence, complex governance requirements and regulations in data security are expected to drive the adoption of the cyber insurance market in future.
Opportunity: Adoption of artificial intelligence AI and blockchain technology for risk analytics
AI and blockchain are among the recent trending technologies that are expected to add advanced capabilities to risk analytics solutions and open new growth avenues. The integration of these technologies with risk analytics solutions would address some of the key challenges and pain points faced by cyber insurance companies. The advent of advanced technologies facilitates faster transactions and settlements, which helps financial institutions and their customers conduct transactions more easily while eliminating the intermediary charging fee. Risk analytics solutions play a key role in analyzing claims, managing reserves, and providing policy coverage. Insurance underwriting is another area where risk analytics solutions are becoming crucial to better assess risks and make informed decisions. There are various vendors in the market who have started integrating advanced techniques, such as statistical modeling, image processing, and ML, to quickly analyze data and generate insights. Vendors in the market are also providing platforms for offering rapid visualization capabilities to help underwriters make informed decisions.
Uncertainty about exposure: Cyber risk is a relatively new peril meaning there is limited historical data on which to base the pricing of insurance premiums. The general unwillingness of the victims of cyber incidents to share information on these events and their impacts (out of concern for potential reputational impacts) further limits access to historical data. Furthermore, the fast-evolving nature of cyber risk – where the perpetrators of cyber attacks can be expected to continue to improve their methods of attack and find new ways to evade cyber defences – constrains the usefulness of the limited historical data that does exist. The legal and regulatory environment is also quickly evolving, impacting the scope and magnitude of the costs likely to be incurred as a result of a cyber-incident.
Limited awareness of potential exposures to cyber losses: While most companies will be aware of the possibility that their networks might be breached or that their web servers could face a denial-of-service attack, a much lower proportion have assessed the potential financial impact of a cyber-incident – which would normally be the basis for any decision to purchase insurance.
More comprehensive data on the frequency and impact of cyber incidents (and the related claims payments) would provide more confidence in the underwriting of insurance coverage for cyber risk – and therefore should support availability and affordability.
Misunderstanding in the coverage available: The coverage for cyber-related losses may be provided through stand-alone cyber insurance policies, endorsements to stand-alone policies or traditional policies, or in any number of traditional policies covering property,
crime, kidnap and ransom or various types of liability. Even among stand-alone cyber insurance policies, significant variation exists in terms of the types of losses covered, sub-limits and deductibles applied, as well as the time basis for claim eligibility. The complexity involved in ensuring appropriate coverage for cyber risk, along with the mismatch between the coverage available and some of the types of losses commonly incurred (e.g. reputational harm and intellectual property theft) has resulted in some concern about whether cyber insurance will actually pay out in the event of an incident.
Restraint: Soaring cyber insurance costs
The higher cost of cyber insurance is one of the major factors hindering the growth of the cyber insurance market. Insurance companies had to pay out expensive claims due to the ransomware attacks in the last two to three years. Even if the cyber insurance companies do not cover the ransom amount, the cost of recovery for the compromised system is high. Cyber insurance companies are increasing the coverage costs to cover the additional costs due to the added services, such as negotiation with hackers and assistance for data recovery during a ransomware attack. The rising prices of cyber insurance has slowed down the adoption as the organizations are more focused on the increasing the cyber security rather than pay the insurance premium.
The Average Cost of Cyber Insurance Varies Across the United States. On average, U.S. organizations pay $1,485 annually for cyber insurance. New Mexico has the lowest average annual cost for cyber insurance ($1,355.56), while Minnesota has the highest cost ($1,708.11). U.S. cyber insurance costs fell 1 percent year over year between 2019 and 2020. This may be due to the fact that various cyber insurance companies lowered their premiums or shut down their operations during this time frame. Still, a range of research suggests cyber insurance premiums are rising — especially within the MSP industry, where insurers now realize IT service providers are prime targets for supply chain attacks.
An organization’s location and the nature of its operations are two of the biggest factors that impact the cost of cyber insurance in the United States. In addition, the number of sensitive employee and customer records that an organization maintains can affect its cyber insurance costs. The higher the limits of cyber coverage, the more likely it becomes that an organization will have to pay a high premium for its cyber insurance policy. For example, a policy with a cyber liability limit of $250,000 has an average annual premium of $739. Comparatively, a policy with a cyber liability limit of $1 million has an average annual premium of $1,588.
A typical cyber insurance deductible for a $1 million policy could be $10,000, but organizations may be able to choose a high or low deductible. Selecting a low deductible means an organization will pay less if it suffers a data breach; but, it also may pay high premiums. Organizations should evaluate a wide range of cyber insurance options. That way, they can select coverages that ensure they are financially protected against data breaches and can get the most value out of their cyber insurance policy.
Challenge: Cyber Threat to Insurance companies
The insurance companies are themselves facing increasing cyber attacks. In 2019, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralyzing, data-pilfering extortion attacks they themselves apparently suffered.
Cybercriminals who hack into corporate and government networks to steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiations. The cyber insurance industry, too, is a prime target for crooks seeking its customers’ identities and scope of coverage.
Challenge: Despite soaring cybersecurity risks, cyber insurers grapple to gain traction
Despite of the rise in the number of security incidents, insurance companies are struggling to sell standalone cyber insurance policies. Mid-sized enterprises, with rise in ransomware and security incidents, are slow when it comes to adopting standalone cyber insurance policies. As per the 2018 Allianz Risk Barometer report, cyber risks is the major concern for risk managers of both SMEs and large enterprises in the US.
In 2018, the net written premiums in the US, including standalone policies and standard commercial policies totaled only USD 1.94 billion. As per Global Cyber Risk Perception Survey 2019, conducted in partnership with Microsoft, revealed that 43% of enterprises with annual revenues below USD 1 billion, did not have a standalone cyber insurance policy. High costs, less coverage limits, complex coverage terms, and lack of awareness related to cyber insurance policies are some of the factors that is inhibiting the growth of the cyber insurance market.
By organization size, the large enterprise segment to lead the market in 2020
Large enterprises are organizations that have more than 1,000 employees. These organizations invest heavily in advanced technologies for increasing overall productivity and efficiency. Large enterprises are widely opting cyber insurance solutions and are expected to invest significantly in advanced cyber insurance solutions to provide optimum security to their enterprises’ intense competitive environment.
Large enterprises have adopted cyber insurance solutions, as they use a large number of cloud and Internet of Things (IoT)-based applications that are highly susceptible to cyberattacks. Moreover, stringent regulatory pressure is driving cyber risk awareness with the need for cyber insurance solutions. For example, in the US, CCPA is one of the toughest data privacy law.
North America is expected to hold the largest market size during the forecast period.
North American has sustainable and well-established economies, which empower it to invest significantly in Research and Development (R&D) activities, thereby contributing to the development of new technologies in the cyber insurance market. The presence of majority of key players in the cyber insurance market is expected to be the major factor driving the growth of the market in this region. Key players, such as BitsSight Technologies, Prevalent, RedSeal, SecurityScorecard, Cisco, Microsoft, UpGuard, FireEye, among others along with several start-ups such as At-Bay, Cybernance, Coalition, Arceo.ai, Zeguro, etc. in the region offer immense opportunity for the growth of cyber insurance solutions and services.
Technology Vendors – BitSight (US), Prevalent (US), RedSeal (US), SecurityScorecard (US), Cyber Indemnity Solutions (Australia), Cisco (US), UpGuard (US), Microsoft (US), Check Point (US), AttackIQ (US), SentinelOne (US), Broadcom (US), Accenture (Ireland), Kenna Security (US), Cylance (US), FireEye (US), CyberArk (US), CYE (Israel), SecurIT360 (US), and Founder Shield (US).
Insurance Vendors – Allianz (Germany), AIG (US), Aon (UK), Arthur J. Gallagher & Co (US), Travelers Insurance (US), AXA XL (US), AXIS Capital (Bermuda), Beazley (UK), Chubb (Switzerland), CNA Financial (US), Fairfax Financial (Canada), Liberty Mutual (US), Lloyd’s of London (UK), Lockton (US), Munich Re Group (Germany), and Sompo International (Bermuda).
Start-up Vendors – At-Bay (US), Cybernance (US), CyberCube (US), Coalition (US), Arceo.ai (US), Kovrr (Israel), Sayata Labs (Israel), Zeguro (US), RiskSense (US), Cyence (US), SafeBreach (US), and Cronus Cyber Technologies (Israel).
In July 2020, Prevalent announced a new version of its Third-Party Risk Management Platform. The enhanced solution included the addition of 567,000 Vendor Threat Monitor (VTM) business risk intelligence sources to help enterprises identify and mitigates risks in real time. The enhanced platform leverages machine learning to assess enterprise risks and suggest remedial actions over time.
June 2020, BitSight introduced new capabilities within its BitSight for Third-Party Risk Management solution. The enhanced solution would enable effective third-party cyber risk management to provide intelligent recommendations, risk management, and improve operational efficiencies across the extended business ecosystem.
In June 2020, SecurityScorecard introduced the availability of its products in the AWS Marketplace. SecurityScorecard’s products, such as Security Ratings and Atlas, would be available for the purchase in the AWS Marketplace. This would enable the increased adoption of Security Ratings platform in AWS marketplace. AWS customers can gain visibility over their security ratings and have a 360-degree view of their security ecosystem.
In November 2019, RedSeal expanded its hybrid network capabilities to include Google Cloud Platform. With the integration of Google Cloud Platform, customers can identify vulnerabilities across network environments and consolidate network data from major public and private cloud solution vendors, such as Amazon Web Services, Cisco ACI, and Microsoft Azure.
In March 2019, Prevalent acquired 3GRC, a global provider of expert governance, risk, and compliance solutions and services. With this acquisition, 3GRC integrated its technology and expertise in risk and compliance management with Prevalent’s comprehensive single-view risk solution. Prevalent also expanded its footprint in the UK with this acquisition.