In the face of growing cybersecurity risks and rising costs of breaches, there appears to be a healthy appetite for cybersecurity insurance. PwC, in its 2016 Global State of Information Security Survey, called it “one of the fastest-growing sectors in the insurance market.”
“Cyber insurance is a potentially huge, but still largely untapped, opportunity for insurers and reinsurers,” PwC said in its recent report on the cybersecurity insurance sector. “We estimate that annual gross written premiums are set to increase from around $2.5 billion today to reach $7.5 billion by the end of the decade.”
This is a good thing. Insurance not only can help organizations transfer the financial risk of security incidents, but can also have a major impact on the state of cybersecurity by moving it from a technical issue to a basic business requirement and establishing baseline security practices that all organizations will be expected to adhere to. The real advantage of insurance is its ability to quantify risk, which has always been a challenge for cybersecurity. Once the actuaries reduce this to a dollars-and-cents issue it can find a home in the executive suite. And the insurance companies—with their profits at stake—will establish best practices their clients will be expected to adhere to that will be more effective than any government regulation making real advances in cybersecurity. Insurers already require a thorough assessment of capabilities and risks as a precondition to purchasing a policy.
Unfortunately, the industry has not yet fully matured. Although the PwC survey found that 59 percent of organizations had cybersecurity insurance, it also said that 90 percent of the policies are bought by U.S. companies, leaving much of the rest of the world untouched. And because this is a new business with a rapidly evolving threat landscape, there is a lot of uncertainty for both insurers and their clients.
“While many insurers have eagerly embraced the revenue growth opportunities opened up by cyber insurance products, others believe that this is too big a risk for them to take on,” PwC said in its industry report. “There has also been some talk about whether governments would be prepared to step in as an insurer or reinsurer of last resort, as they have with terrorism and some hard to place flood coverage.”
As a result, companies interested in the insurance can find it difficult to get the coverage they want, and the price for what they get typically is high. “Generally, businesses should understand that they won’t be able to insure the full risk of loss because the market just doesn’t have the supply yet,” said PwC Principal Joseph Nocera.
And although the insurance industry has not yet had a big impact on cybersecurity practices, PwC says that some common conditions of coverage, such as strong encryption or 100 percent up-to-date patching, already are difficult for businesses to meet.
Cybersecurity insurance will never be a panacea. Unlike most other types of insurance, cybersecurity must deal with aggressive adversaries working to circumvent our best defenses. But I am hopeful that once this sector matures it will have a meaningful impact not only the risk exposure of companies, but on the practice of cybersecurity in both industry and government.