The seemingly unstoppable juggernaut of the cyber insurance market finished out 2015 in style. More than half of businesses in the US now carry some cyber coverage, and the segment is expected to triple in size to $7.5 billion by 2020.
Yet a series of recent reports suggests this growth hasn’t been equal – or without its qualifications.
For one thing, the 32% increase in cyberinsurance purchases in 2014 was driven by only a few industries. According to
Marsh Risk Management Research, the at-risk sectors of healthcare and education took the lead in terms of take-up rate. Among healthcare organizations, 50% now carry coverage; 32% of educational institutions do so as well. Hospitality and gaming, and the services industry, also did a great deal of buying in 2014. This helped the US economy reach its overall rate of coverage.
But most industries still boast dismal take-up rates. According to the same Marsh report, five markets are particularly untapped.
By far, manufacturing is the most uninsured against this risk. Just 8% of companies in that sector purchased standalone cyber insurance in 2014, up from 6% in 2013. This isn’t from lack of awareness – cyber risk tops the list of concerns for manufacturers, according to the 2015
Travelers Business Risk Index. Decision-makers simply are choosing not to purchase the coverage.
Communications, media and technology is the second-most uninsured sector against cyber risk. Just 12% of companies bought a policy in 2014, barely shifting from the previous year’s take-up rate of 11%.
Surprisingly, the retail/wholesale market is also largely uninsured – only 18% of companies carried coverage in 2014. This industry is one especially vulnerable to cyber attacks because of the large quantity of customer credit-card information it collects. High-profile hacks, such as those against Target and Home Depot, have driven up retail’s risk profile, which has made affordable coverage with appropriate limits difficult to find.
Rounding out the top five most uninsured industries are power/utilities and financial institutions, both of which have a 21% take-up rate. That’s up from 14% and 17%, respectively.
Robert Hartwig, president of the Insurance Information Institute, says that while insurance professionals certainly have a ways to go toward properly insuring these lagging industries, the numbers are encouraging in one respect.
“Every industry is increasing their take-up rate by a substantial percentage,” he says. “The numbers are low, but we expect them to increase rapidly. This is one of the bold new frontiers for insurers.”
However, closer analysis reveals that even those companies insured against cyber risk might not be carrying enough coverage.
According to the Ponemon Institute, most of the costs associated with a data breach will total less than $1 million. However, there’s a 5% chance the breach will cost a company $20 million or more – and most firms aren’t insured for that kind of loss.
While cost has a great deal to do with that lack of coverage, another significant reason companies aren’t buying higher limits is that they’re just not available.
According to Kevin Kalinich, leader of the global cyber risk practice for
Aon Risk Solutions (which sponsored the Ponemon study), it’s exceedingly difficult to find policies with adequate limits.
“We are working with alternative markets because the traditional cyber insurance markets run out of capacity between $200 and $300 million,” he says.
In 2015,
AIG CEO Peter Hancock made headlines by suggesting the amount of cyber liability coverage offered by carriers will only cover a fraction of the damages that occur during and after a data breach.
“The largest coverage I’m aware of is for a bank that has about $400 million in coverage, which is very small when you think about it,” Hancock said. “When you compare it to the amount of capacity that’s available for a complex chemical plant, refinery [or] offshore oil platform, the numbers are much, much higher.”
Hancock and others are hopeful, however, that as awareness of cyber risk increases, underwriters will start offering higher policy limits. “The willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures,”
Hancock said.
Jack Elliott-Frey, a broker with SafeOnline, believes that as more businesses accept the costly reality of cyber risk, insurers will start offering higher limits.
“There is a clear picture being painted here,” he says. “Businesses are unaware of the cyber threat, which leads to low demand for cyber insurance, with insurers offering generalized, inadequate policies for the small number of businesses that are requesting them.”
