In the Annual Survey of Cyber Insurance for 2019, it is clear that demand is "softening." Key findings include:
This is a considerable slowdown from 2018. For example, last year 44.9% of companies that renew their cyber insurance increase it, but that has fallen to 32% in 2019's report. And in 2018, the typical cyber insurance limit was $3.2 million, but that fell to $2.8m in 2019.. Prices were soft even in 2018, as 30% of insurers saw cyber prices decline versus 12% who enjoyed an increase over last 6 months. Data from Cyber Insurance Market Watch Survey - July 2018.
Most companies with over 500 staff think they have cyber insurance. For example, in August 2018 90% of such organisations in the UK and 64% in the Nordics say they have cyber-risk insurance (FICO survey, requires registration).
The reasons to actually invoke cyber insurance are fairly stable: 51% of cyber incidents reported to insurers were caused by staff (including accidental disclosure and deliberate crime,) according to this June 2018 Beazley report.
Lloyd's of London reported in July 2017 that insurers will receive about $3.5bn of premiums this year, from businesses that want to protect themselves from cyber attacks. Yet the same report shows that a single extreme outage at a major cloud services provider could cause over 15 times that amount of damage to businesses.
Cyber risks are indeed under-insured, according to this April 2017 global survey of over 2,000 business executives. Businesses insure far more of the risk associated with their physical property than with their online, cyber assets. Take a moment to look at the playbooks published for insurance brokers (eg May 2017).
Most organisations are not insured for all aspects of a cyber attack, either by general liability insurance, director’s insurance, or specific "stand alone" cyber insurance. In May 2017, CFC found insurance brokers are failing to discuss cyber with businesses - though that may rise after the Ransomware event of May 2017. A UK Government report of March 2015 showed that 52% of British CEOs of large businesses think their organisation is insured for cyber risks, but the most generous interpretation of the facts is that only 10% of actually are. The report suggests that just 2% of large UK businesses have actual stand alone cyber insurance. The USA is by far the most developed cyber insurance market, and in April 2016, about 16% of USA businesses have stand-alone cyber insurance.
Cost effectiveness of cyber insurance is worth considering. 52% of businesses that don't plan to buy cyber insurance say its because “Premiums are too expensive.” 44% of businesses that don't plan cyber insurance say it's because there are “too many exclusions, restrictions & uninsurable risks,” or more provocatively, "trap doors." Certainly, some common conditions of cyber insurance, such as "state-of-the-art data encryption or 100% updated security patch clauses," are difficult for any business to maintain. It is hard for brokers to offer cyber insurance from many alternative insurers because they find it " too difficult to compare offerings, coverage enhancements and exclusions."
How much does Cyber Insurance cost? Have a look at these examples published in June 2017, for a variety of American companies. In the USA in 2017, "firms typically spend between $5,000 and $50,000 a year for policies that provide $1 million to $10 million in coverage," according to the CEO of Gunn Steers, an insurance broker.
What do insured companies claim for after a cyber attack? As this detailed report showed in March 2016, some 81% of US companies that have bought cyber insurance have never filed a claim on it. That was not because they didn't suffer cyber incidents, but because their potential claim was less than their insurance deductible. Of those companies in the USA that the do claim, the typical (median) payment is $77k. The insurance claim normally includes legal and forensic specialists, though rarely PR costs. The cost of buying insurance for cyber varies widely, but to purchase a $1m policy typically costs $5k to $25k per year for a medium sized company. Advisen publishes useful data on cost trends in the USA.
During a cyber attack, be sure not to incur claim-related costs without consent from your insurer, and do not prejudice insurer’s rights for example by admitting liability or settling any claim. During the attack, it is unusual to be certain who the attacker is, but it may be useful to know that 3rd parties accounted for 25% of the claims submitted and insiders were involved in 32% of the claims submitted according to this report.
Good cyber insurance will cover at least some of the following after a data breach: forensic investigation; notification costs; credit and identity monitoring services; costs to defend your organisation from legal challenge; cyber extortion; data loss; and perhaps business interruption. You will ideally want retroactive cover, for breaches that originated before insurance was taken out but weren't discovered until later. Introductory advice on how to buy cyber insurance is here and here.
The cyber insurance market is growing, by 30% each year between 2012-2015, though in April 2016 the growth had slowed to "slow but steady." There were about 3,000 claims on cyber insurance in the USA in the four years of 2012-2015. In 2015, there was some debate about how sustainable the cyber insurance market is. For example, "Lloyd’s is concerned that cyber risk may not be being properly priced for, nor the exposures adequately quantified by managing agents.” That's not surprising - even the EU specialist agency ENISA struggled with this analysis of 17 reports into the cost of cyber attacks, and it's worth reading this warning about cyber attack cost calculators.
We should encourage the development of cyber insurance, as insurers can potentially support rational, optimised investments in cyber security, if they are able to gather enough data about what really reduces cyber risks.
Click each image below to read how various cyber insurers describe their offerings. Members may contact us for more information.