If you haven’t started selling cyber insurance yet, now is the time to do so.
While still relatively small compared to more established markets (like auto or homeowners), the market is growing rapidly. David Bradford, co-founder of insurance technology provider Advisen, expects the current $2.5 billion sector to generate twice as much in premiums by the end of the decade. PWC and ABI forecasts are even more optimistic – they expect the market to balloon to $7.5 billion and $10 billion by 2020, respectively.
The reasons for this are myriad. Data breaches have become more frequent and more costly, more carriers are entering the space and more companies are buying.
Bradford estimated that there are about 60 companies currently offering cyber coverage today, and an Advisen report suggests 64% of US businesses own a policy.
It’s hardly surprising when the Ponemon Institute and IBM put the average cost of a breach across various US industry sectors at $217 per exposed personally identifiable record. That’s up from $201 in 2015.
There’s also the fact that carriers are less and less willing to provide any sort of cyber protection through general policies, including the commercial general liability policy.
“In the past [traditional insurance coverage] may have picked up cyber-type incidents under the coverage which was never contemplating cyber exposures in the first place,” Bradford said. “Now insurers are excluding cyber out of those general policies, partly because of the emergence of cyber insurance.”
However, not all policies are created equally. Speaking at the Interop conference in Las Vegas this week, Bradford warned that many carriers are simply “making it up as they go along,” and there is little resemblance in how underwriters approach cyber risk.
“These are complex policies, and there’s a breadth of coverage,” he said. “Even people who are in the business but not doing cyber on a day-to-day basics are surprised at the nuances of coverage.
“It’s not like auto coverage or homeowner coverage that has a lot of similarities and standards. There’s not a common language and there’s not a lot of commonality.”
While coverage for data breach and privacy violations are standard, some carriers may cover losses due to business interruption, ransomware and related costs. Others, indeed most others, do not cover the value of lost intellectual property if a hacker manages to steal a commercial client’s IP. They also don’t cover lost cash when employees transfer funds into fraudulent accounts following a successful phishing attempt.
These gray areas may get even more complex as the Internet’s presence expands and the so-called Internet of Things extends a company’s reach into the lives of their customers.
Bradford also had criticism for those who rely on cyber policies instead of thinking critically about guarding against corporate data breaches.
“When it comes down to it, cyber insurance is not a substitute for information security,” he said. “But it can be a backstop for when things go wrong.”