Cyberattacks may be the biggest risk that global businesses are unprepared for. Record numbers of data breaches have driven large organizations to increase spending on security at twice the rate of other information technology during the past several years, according to market-growth studies by Gartner, IDC and others that predict growth of between 4.7 percent and 9.9 percent during the next five to seven years.
While that growth is significant, it is dwarfed by annual increases of between 25 percent and 35 percent in the cyber insurance market. This sector, worth less than a billion dollars worldwide during 2012, topped $2 billion during 2015 and could triple by 2020, according to Moody’s. This explosive growth is a result of executives trying to protect their organizations’ financial health in an ever-hostile cyber landscape, as well as carriers seeing profits in a new business segment.
Unlike auto theft or fire insurance, cyber insurance is an emerging form of coverage. Predicting risks for the online environment cannot be based on retrospective analysis, since lack of historical data presents a tremendous challenge. The data simply does not exist to develop the models used by underwriters to calculate risk and set rates related to predictable expectations of loss and exposure. In addition, trying to gain even a toehold is difficult because the data, the technology, and the harmful incidents are growing and evolving so rapidly.
The result is a fragmented and volatile situation for both business and carriers. Carriers must essentially guess at their exposure, reflected in a market that is highly variable in both policy terms and prices. Business leaders, unable to comprehend coverage limits and reimbursement requirements, elect to bear the risk when faced with high costs, high deductibles and outright denial of coverage.
The SANS report “Cleaning Up After a Breach—Post-Breach Impact: A Cost Compendium” predicts that the evolving insurance market will have a strong influence on the ways organizations will approach their risk assessment and management activities, as well as how they will handle their investment in defending against escalating post-breach costs and total financial loss. This will require CEOs/CISOs and insurance underwriters/agents to achieve a common understanding about the meaning of risk and how both sides must work together to achieve a realistic floor from which cyber insurance makes solid business sense.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program