Cyber liability exposures are becoming a fact of life for organizations of all sizes and industries.
Consider major data breaches recent years: Target, Home Depot, Neiman Marcus, Sony Pictures, JP Morgan, Morgan Stanley, Community Health Systems, Anthem and Premera Blue Cross. And that’s the tip of the iceberg.
Costs are exorbitant. The global cost of a breach is rising nearly 3 percent a year, from roughly $600 billion this year to $2.5 trillion in 2020, according to Juniper Research, a consultancy based in Hampshire, England.
For context, natural disasters typically don’t cause anywhere near that much damage in the world of global commerce. Yet, insuring against physical and natural disasters is a long established, fully understood cost of doing business, according to the first article in a three-part series on cyber insurance from Byron Acohido and Edward Iwata of ThirdCertainty.com.
Types of risk
There is much to suggest the cyber insurance, now in its infancy, is destined to follow a similar arc and eventually become as common as business insurance coverages for fire, floods and earthquakes.
“Cyber insurance is a risk-management tool that companies can use to help manage the financial impact of a data breach, which can be significant,” says Shawn Dougherty, director of cyber commercial lines product development for ISO Insurance Programs and Analytic Services.
Cyber insurance typically covers the costs involved in consumer notification, credit checks, business interruption and lawsuits that could stem from a hacker attack of corporate networks.
Two main risk types covered by cyber insurance that dominate the market now are:
First-party risks refer to damages stemming from business interruption, data destruction, identity theft and cyber extortion.
Third-party risks refer to network security liability and software and Web content liability.
In an era of mounting cyber threats, cyber insurance for businesses seems to be a no-brainer. Yet many businesses still are gun-shy at buying such policies. Lloyd’s of London says only a small percentage of business losses attributable to cyber attacks are insured. Meanwhile, companies that do purchase cyber insurance policies tend to view them as a necessary evil.
Underestimating the threat
Many organizations continue to underestimate cyber threats. While some have made progress in limiting their exposure to cyber threats, too many senior executives still do not fully understood these emerging exposures, according to the Center for Insurance Policy and Research.
A whopping 98 percent of respondents to the 2015 RIMS Cyber Survey said that their companies bought cyber insurance because it was a regulatory or business-related “contractual obligation.”
As with every young sector, cyber insurance resembles a wild, emerging market with hundreds of insurers and products, fast-changing technology, and budding industry practices.
A recent report for the Cyber Security Policy and Research Institute (CSPRI) found that the nascent market, while promising, faces a range of roadblocks that include poor standards, “uncertainty about liability,” “spotty coverage and insurance loopholes,” and other issues.
Meanwhile, many companies are spending small fortunes on information security technologies, including firewalls, intrusion detection systems, and encryption services. Cyber insurance represents another expenditure.
Often brokers who excel at selling traditional coverage are challenged to explain complex cyber policies and show companies, through real-world examples, the tangible benefits of such coverage, says Nate Spurrier, director of business development for CyberScout.
But when insurance brokers understand the potential and take the time to push sales of available policies, they actually could help trigger a virtuous cycle, says Tyler Moore, a professor of computer science and engineering at Southern Methodist University.
Companies seeking cyber coverage would begin to adopt better security practices. And as more policies get sold, the insurance industry should begin to make simplified policies more widely available.
Wider availability of affordable cyber insurance could “incentivize firms to implement good security practices,” Moore says, and insurance companies could “lower premiums for firms that adopt safeguards to mitigate risk.”