A report from PricewaterhouseCoopers predicts rapid growth in the cyber insurance market in the next five years and identifies some weaknesses in the industry. Its recommendations could help improve global cybersecurity.
Cybersecurity insurance has gotten quite a bit of attention in the past couple of weeks. A report by PricewaterhouseCoopers predicts significant growth in the industry over the next five years. From today’s $2.5 billion, “we estimate that the cyber insurance market could grow to $5 billion in annual premiums by 2018 and at least $7.5 billion by 2020,” the authors wrote.
As if to underscore this, ABA Insurance Services (the American Bankers Association-endorsed insurance provider) announced Sept. 1 a new cyber liability and privacy insurance policy that includes breach response resources. The Cyber Cover policy offers data breach liability coverage with optional coverage for electronic funds transfer, regulatory defense and coverage for response expenses, including public relations.
A couple of weeks later, Deputy Treasury Secretary Sarah Bloom Raskin told a Washington think tank that the insurance industry could help drive better cybersecurity by helping organizations identify best practices and providing financial incentives to adopt them.
“The insurance sector plays a role in helping to quantify cyber risk,” Raskin said. “The insurance sector knows how to gauge the individual and collective risks and associated costs posed by cyber incidents.”
The attention to cyber insurance is a positive step toward improving cybersecurity. I wrote 15 years ago that insurance could be a powerful part of the security equation.
“Most types of commercial risk, from fire and theft to earthquake and flood, have long since been quantified in the tables of insurance companies,” I wrote. “Information assurance has so far defied such calculations and, without the numbers, managers in the government and elsewhere have been uncomfortable setting a price on system security.”
As cyber insurance matures and becomes an accepted requirement for doing business, insurance companies will tie coverage and its cost to implementing best practices, creating de facto standards for cybersecurity that organizations can justify financially.
This has been a long time coming, but it might finally be happening. Like every other element in the security equation, however, cyber insurance comes with the caveat that it is not a silver bullet. The PwC report also identified weaknesses in this rapidly emerging sector of the industry. In a threat environment that is growing and evolving so rapidly, some insurers are finding it difficult to accurately quantify and limit their exposure. Insurers also are limiting coverage to well under the industry maximum of $500 million, and some common conditions, such as state-of-the-art data encryption or 100 percent updated security patches, are difficult for businesses to maintain.
The report includes recommendations for the insurance industry that could not only help put cyber insurance on a sound footing but also help to establish a global, risk-based approach to cybersecurity. These include:
- Effectively quantify the cost of cyber attacks, breaches and other incidents.
- Use the resources of the technology and intelligence communities to develop more effective threat and client vulnerability assessments.
- Share more data.
- Frequent assessments of clients’ vulnerabilities and risks, tied with requirements for remediation.
- An industry mechanism to coordinate risk management and develop solutions and standards.
- Investing in insurers’ own cybersecurity.
These all sound like best practices for effective cybersecurity. If cyber insurance becomes a business norm alongside other types of coverage such as fire, the insurance industry could finally become an effective driver of cybersecurity.