Have you heard about cyber insurance? It is predicted to be the next big thing in insurance coverage. In the aftermath of the Home Depot and Target data breaches, it’s easy to see why companies doing business over the internet might need this type of coverage. Simply put, cyber insurance (or cyber liability insurance) is designed to safeguard against the many risks that come with conducting business online. While online businesses won’t have to worry about customer slipping and falling in their online store, they do have to worry about data breaches, privacy concerns, protecting intellectual property, virus transmission, and other online threats.
With e-commerce projected to account for 10% of all retail sales or approximately $370 billion in sales by 2017 in the United States alone, it is easy to see why world governments are concerned with the potential threat to the ever growing and increasingly interconnected online marketplace. Indeed, if you run a simple Google search for “cyber insurance,” the first hit is from the U.S. Department of Homeland Security. As recently as July 2014, the DHS published a report, Insurance for Cyber-Related Critical Infrastructure Loss.
Not to be outdone by its progeny, the government of the United Kingdom weighed in on the issue, opining that cyber insurance was critical for online businesses and expressing its support for the growth of a cyber insurance market in a joint government and industry statement on the cyber insurance market. Given the projected trends in online retail sales for European countries and the US, it is easy to see why governments might be somewhat anxious to see a cyber insurance marketplace develop. As the joint statement posted by the United Kingdom Cabinet Office put it “[i]nsurers providing cyber breach and wider operational risk cover can play an integral role in driving improvements in cyber security risk management.” The joint statement also noted that beyond helping insureds recover losses following a data breach, cyber insurance may provide insureds “front end risk analysis to gauge the organisation’s exposure to cyber risk, and deliver rapid incident response services that are critical to minimising the impact of a breach.”
That the UK and US governments have expressed an interest in working with insurers to discuss the development of a cyber insurance market bodes well for the healthy and speedy development of such a marketplace. The DHS’s report details some of the critical challenges in the development of a cyber insurance market, including “a lack of actuarial data; aggregation concerns; and the unknowable nature of all potential cyber threat vectors.” While all insurable events have an inherently “unknowable nature” (otherwise you wouldn’t have to ensure against them), the recognition of the challenges to gathering accurate actuarial data is significant. It is easy to see why insureds would not want to share cyber incident data, fearing negative economic or regulatory consequences. Perhaps an open dialogue between insurers and governments may provide a framework for disclosure that can cut against those, and other, concerns.