Though the cyber insurance market is currently very small and concentrated in the United States, the number of players is expected to increase in the coming years resulting in both lower premiums and more standardized policies. So reports an international insurance think tank in a recently released report, Ten Key Questions on Cyber Risk and Cyber Risk Insurance, which summarizes existing research and offers recommendations to insurers and governments for preventing cyber risks and supporting cyber insurance.
According to the report, the main insurability challenges of the cyber insurance market include lack of data, potential moral hazard problems, and the complexity of existing policies. For example, insurers have had difficulty underwriting cyber risk due to the lack of historical data; even what data exists may be a questionable predictor of future risk given the “dynamic nature” of cyber risks. Moral hazard issues arise from the fact that companies that have previously experienced a serious cyber attack are more likely to buy cyber insurance. In addition, since modern IT systems are so often interrelated with third party IT systems (such as a vendor or a service provider), a company’s incentives to invest in self-protection measures may be reduced. Yet another impediment to the market’s development is the complexity of current cyber policies as they have no standardized terminology and contain a large number of exclusions, making them difficult to compare.
Notwithstanding these issues, the report observes that the cyber insurance market is still in its infancy, but over time, “the risk pools will become larger and more data will be available.” The actual and expected emergence of new cyber insurers will “increase insurance capacity, competition and push prices down” as well as “lead to a more uniform terminology and standardization of products.” Moreover, the European cyber insurance market, which lags far behind the U.S. market, is expected to grow significantly due to the European Union’s possible adoption of cyber attack reporting requirements.
TIP: Typical cyber policies cover privacy, network security and media liability, as well as crisis management, business interruption, and data asset protection costs. This report from The Geneva Association is helpful for companies looking for a primer on cyber risk and cyber risk insurance as they evaluate their need for such coverage.