While 2016 may have been one of the worst years in history for network security, there is at least one silver lining for enterprise IT departments: insurance companies are becoming increasingly skilled at underwriting cybersecurity risks.
According to the Insurance Information Institute, more than 60 different insurance companies are now offering standalone cyber insurance policies, with an estimated U.S. market of more than $3.25 billion in gross written premiums this year.
That figure is the direct result of two related trends. First, data breaches are becoming more expensive for enterprises, with the average breach in 2016 costing $7 million and representing the third-costliest business risk this year. That increase has given rise to the second trend, which is that businesses are becoming much more concerned about protecting themselves against potential financial losses as the result of hacks that are becoming almost inevitable.
A New Challenge
Historically, the insurance industry has successfully managed to adapt to the risks posed by new technologies, including automotive and air travel tech. Nonetheless, insuring against data breaches and other attacks presents its own set of challenges and complications.
In particular, the constantly changing range of perpetrators, targets and exposure values, a lack of historical actuarial data and the interconnected nature of cyberspace, combine to make it difficult for insurers to assess the likely severity of future cyberattacks.
While most traditional commercial general liability policies do not cover cyber risks, standalone cyber insurance policies typically address a number of risks associated with data breaches or attacks.
Chief among these is liability insurance to help companies cover costs, such as legal fees and court judgments, that may be incurred following the theft of enterprises data and the unintentional transmission of a computer virus that causes financial harm to a third party.
Crisis management is another aspect of standalone cyber insurance, covering the cost of notifying consumers about data breaches that resulted in the release of private information and providing them with credit monitoring services. Cyber insurance also covers the cost of retaining a public relations firm or launching an advertising campaign to rebuild a company’s reputation.
Some policies will also cover liabilities incurred by directors, corporate officers or other members of management who might be at risk due to decisions made on behalf of the company. Business interruption stemming from an attack can also lead to a loss of income, another risk insurers are increasingly starting to underwrite.
Ransomware and Data Destruction
Cyber extortion has also been a major concern this year, with the San Francisco transit system falling victim to an attempt to extort it for millions of dollars. That attack caused the system to offer free rides to patrons over Thanksgiving weekend. Cyber extortion coverage helps cover the settlement of an extortion threat as well as the cost of hiring a security firm to track down the blackmailers.
Insurance companies are also beginning to cover damages resulting in the destruction of data or other valuable assets stemming from viruses, malicious code and Trojan horses, as well as the cost of posting criminal rewards for information leading to the arrest and conviction of malicious hackers.
If 2016 was any indication of what lies ahead, these kinds of insurance policies should be in even greater demand in 2017.