From the first cybercrime in 1834, when a pair of thieves hacked the French Telegraph system for financial market information to numerous cyber security attacks in 2020, the motive remained the same. The means have become highly sophisticated, targets were more selective, and the costs of claims have multiplied a million-fold.
Today, the average cost of a cyber insurance claim ranges between USD 700,000 for a small or medium enterprise (SME) and USD 16 million for a large enterprise, while a large breach could cost the insurer up to USD 150 million.
The Cyberattack Catastrophe
However, despite the growing sophistication and number of cyber-attacks, most enterprises still do not have adequate coverage. In light of the growing threats, it is a matter of great worry that the current USD 5.5 billion cyber insurance industry may be barely a few claims away from becoming solvent. A handful of big claims in the respective coverage brackets is all it will take to blow away a year’s worth of premiums – which would take much longer for insurers to earn back. What makes this even more alarming is that cyber insurance is a very niche market with the top 10 Insurers and re-insurers combined writing about half of the global premiums. This puts the industry in a very precarious position especially if faced with a large global-scale attack that can potentially set the industry back by a few years.
The recent breach at an IT Management and Remote Monitoring Software firm, which serves thousands of enterprises saw malware pushed into customer networks as part of the firm’s software update. It is important to note that the technology firm and their insurer are liable for third-party losses by thousands of organizations they serve. The scale of this supply-chain cyberattack is unprecedented and is nothing short of a cyber security catastrophe that can deal a deathblow to the industry.
The Growing Demand for Cyber Liability
When individuals were targets, identify theft was the most sought-after coverage and there was hardly any demand for third-party liability. However, when organizations become targets it is a very different picture. To begin with, liability coverage has gained prominence and is offered by most carriers in both standalone and package policies. Data Privacy laws like GDPR, Consumer Protection Bureau’s and other regulatory bodies are imposing heavy penalties on organizations that fail to protect consumer data. As a result, many large organizations now require their third-party contractors and vendors to have cyber liability protection, driving the demand in the market.
When a large data breach happens, most organizations and consumers have little or no evidence of the exact data that was compromised and its impact. So, in most cases the liability of the carrier is limited to first-party cyber coverage and identity theft protection to the impacted customers. Third-party liability claims were settled depending on the available evidence and just limited to the single organization.
It Takes a Village…
Drawing analogy with property risks, a large hurricane is considered a catastrophe. Today, unlike cyber claims, a large number of catastrophic property claims are handled seamlessly because there exists a strong market and mature ecosystem, which has taken several years to evolve. The cyber insurance industry too could use some help.
In the absence of sufficient loss data for risk modelling, the industry needs partners who can ascertain a good risk from a bad one, constantly monitor threats and restore services in the face of a cyber-attack. Cyber insurers need to partner with ecosystem players who can identify, mitigate and prevent the cyber risks. This will help reduce the risk exposure, strengthen the ecosystem and promote market growth.
The US government has played a significant role in promoting and supporting terrorism risk coverage (TRIA 2002) post the 9/11 attacks. Similarly, the recent supply-chain attack should be treated as an eye opener for the governments globally to understand the impact from cyber risks to economic growth and national security. This should prompt them to support the industry by mandating and sponsoring cyber insurance.
More than a third of cyber insurance is ceded to reinsurers. However, increasing loss trends, shorter payout times from ransomware demands and low investment returns are putting pressure on the reinsurers. The cyber industry needs their support in the form of proportional and non-proportional treaties to strengthen and broaden the coverage.
Cyber Insurance is a means for today’s digital enterprises to become resilient in the face of exponentially growing cyber threats. However, carriers are unable to provide sufficient coverage due to the constantly evolving threats and insufficient loss data. On the other hand, insurers have consistently reported higher cyber claim losses than the previous years. As a result, the industry is struggling to make ends meet while its sustenance is threatened by a potentially catastrophic cyberattack.
The industry needs support from all stakeholders till it matures and can withstand catastrophes on its own. The emerging cyber ecosystems, pro-cyber government policies and strong re-insurer backing will need to nurture and strengthen the industry in the coming years.