Leading the way in innovation for over 55 years, we build greater futures for businesses across multiple industries and 55 countries.
Our expert, committed team put our shared beliefs into action – every day. Together, we combine innovation and collective knowledge to create the extraordinary.
We share news, insights, analysis and research – tailored to your unique interests – to help you deepen your knowledge and impact.
At TCS, we believe exceptional work begins with hiring, celebrating and nurturing the best people — from all walks of life.
Get access to a catalog of the latest news stories from across TCS. Discover our press releases, reports, and company announcements.
You have these already downloaded
We have sent you a copy of the report to your email again.
From the first cybercrime in 1834, when a pair of thieves hacked the French Telegraph system for financial market information to numerous cyber security attacks in 2020, the motives have remained the same. The means have become highly sophisticated, targets are more selective, and the costs of claims have multiplied a million-fold.
Today, the average cost of a cyber insurance claim can range from USD $700,000 for a small or medium enterprise (SME) to USD $16 million for a large enterprise, while a large breach could cost an insurer up to USD $150 million.
Despite the growing sophistication and number of cyber-attacks, most enterprises still do not have adequate coverage. In light of the growing threats, it is a matter of great worry that the current USD $5.5 billion cyber insurance industry may be barely a few claims away from becoming solvent. A handful of big claims in their respective coverage brackets is all it will take to blow away a year’s worth of premiums – which would take much longer for insurers to earn back. What makes this even more alarming is that cyber insurance is a very niche market with the top 10 insurers and re-insurers combined writing about half of the global premiums. This puts the industry in a very precarious position, especially if faced with a large global-scale attack that could potentially set the industry back by a few years.
The recent breach at an IT management and remote monitoring software firm, which serves thousands of enterprises, saw malware pushed into customer networks as part of the firm’s software update. It is important to note that the technology firm and their insurer are liable for third-party losses by the thousands of organizations they serve. The scale of this supply-chain cyberattack is unprecedented and is nothing short of a cyber security catastrophe that can deal a deathblow to the industry.
When individuals were targets, identify theft was the most sought-after coverage and there was hardly any demand for third-party liability. However, when organizations become targets, it is a very different picture. To begin with, liability coverage has gained prominence and is offered by most carriers in both standalone and package policies. Data privacy laws like GDPR or those from the Consumer Protection Bureau and other regulatory bodies are imposing heavy penalties on organizations that fail to protect consumer data. As a result, many large organizations now require their third-party contractors and vendors to have cyber liability protection, driving the demand in the market.
When a large data breach happens, most organizations and consumers have little or no evidence of the exact data that was compromised and its impact. So in most cases, the liability of the carrier is limited to first-party cyber coverage and identity theft protection to impacted customers. Third-party liability claims are settled depending on the available evidence and limited to the single organization.
Drawing an analogy with property risks, a large hurricane is considered a catastrophe. Today, unlike cyber claims, many catastrophic property claims are handled seamlessly because there exists a strong market and mature ecosystem which has taken several years to evolve. The cyber insurance industry too could use some help.
In the absence of sufficient loss data for risk modeling, the industry needs partners who can ascertain a good risk from a bad one, constantly monitor threats, and restore services in the face of a cyber-attack. Cyber insurers need to partner with ecosystem players who can identify, mitigate, and prevent cyber risks. This will help reduce risk exposure, strengthen the ecosystem, and promote market growth.
The US government has played a significant role in promoting and supporting terrorism risk coverage (TRIA 2002) after the 9/11 attacks. Similarly, a recent supply chain attack should be treated as an eye opener for global governments on the impact of cyber risks to economic growth and national security. This should prompt them to support the industry by mandating and sponsoring cyber insurance.
More than a third of cyber insurance is ceded to reinsurers. However, increasing loss trends, shorter payout times from ransomware demands, and low investment returns are putting pressure on reinsurers. The cyber industry needs their support in the form of proportional and non-proportional treaties to strengthen and broaden coverage.
Cyber insurance is a means for today’s digital enterprises to become resilient in the face of exponentially growing cyber threats. However, carriers are unable to provide sufficient coverage due to constantly evolving threats and insufficient loss data. On the other hand, insurers have consistently reported higher cyber claim losses than previous years. As a result, the industry is struggling to make ends meet while its sustenance is threatened by a potentially catastrophic cyberattack.
The industry needs support from all stakeholders until it matures and can withstand catastrophes on its own. The emerging cyber ecosystems, pro-cyber government policies, and strong re-insurer backing will need to nurture and strengthen the industry in the coming years.
Enhancing Dealer Network Management with Master Data Management
Overcoming Barriers to Gen AI Adoption
The Role of AI in HRMS Industry
Cybersecurity: The new frontier in the digital age