Cyber insurance is one of the fastest growing insurance markets; it is expected to grow from $2 billion today to $20+ billion over the next decade. It has given agents and brokers the boost they have needed as global insurance rates have steadily declined over 15 consecutive quarters.

In its Global Insurance Market Index Q4 2016 report, Marsh attributed the decline to “a global market with substantial capacity and an absence of significant catastrophe losses.”

Cyber insurance rates, on the other hand, have had positive growth for 10 consecutive quarters, although Marsh data show premiums are now increasing at a slower pace than in 2015, when they rose between 16.9% and 20% throughout the year. In 2016, rates rose by 12% in the first quarter and only 1.4% in the fourth.

This does not necessarily mean the cyber insurance market is stabilizing. It just means the next big attack hasn’t happened yet. Just as property-casualty rates are linked to natural disasters and large-scale accidents or events, cyber insurance rates are linked to cyber crime. The nature of the crime—the industry sector hit, the number of people affected, and the amount of press given to a cyber event—can significantly affect rates. 

Reuters reported the 2013 Target Stores and 2014 Home Depot breaches cost the companies $264 million and $232 million, respectively. But the breaches also cost other retailers. Marsh data show a 32% increase in cyber insurance premiums for the retail sector in the first half of 2015. Beazley reported some health insurers who suffered attacks faced a three-fold premium increase.

The insurance market’s cyber underwriting process has continued to evolve and mature as lessons are learned from attacks and losses. Insurers are building repositories of claims data to bolster their analysis in the underwriting process. They are also beginning to understand the importance of cyber-security programs that align with best practices. These programs link IT operations, compliance requirements, policies and procedures, technologies deployed, response plans and governance to create a stronger security posture that is better able to withstand cyber attacks.

In the end, however, the insurance market and buyers are still reacting to criminal behavior and the harm caused through cyber crimes, particularly those events that may aggregate exposures. The sophistication of today’s attacks is unparalleled, and they are being conducted by a range of actors—teenagers seeking a thrill, lone hackers, insiders, organized crime, terrorists and nation states—each with different motives and end-game strategies. Therefore, it is wise to factor in the unpredictable—the “unknown unknowns”—when determining capacity and pricing parameters. Breaches of personal, health and financial data will continue, but the trend is toward complex, multipronged attacks that may perform several actions (steal data, erase or corrupt data, disclose confidential information, etc.) and attacks with an easy monetary reward.

The increase of ransomware, which is malware that very quickly encrypts all data on a system—as well as online backup files—is alarming. Most companies are not prepared to deal with these attacks (hint: get a bitcoin account now). A 2016 IBM study found that ransomware increased 6,000% in 2016 and is headed toward becoming a $1 billion business.

The Internet of things is all about connecting smart devices, sensors, surveillance cameras, thermostats, etc. to a network and the Internet. It is poised to become a favored means of conducting cyber attacks, which can cause massive network disruptions and business interruption losses.

A recent AT&T report says IoT attacks increased 400% in 2016. No one is prepared to deal with them; not governments, companies, educational institutions, hospitals, underwriters, brokers or agents. I predict by 2018, IoT attacks will become the most serious cyber threat on the planet.

Quite simply, cyber crime will continue to drive purchases of cyber coverage, and it will force changes in insurance products. Large attacks, such as those that hit Target, Sony, Home Depot and Anthem, raised awareness at the board and executive levels and resulted in increased cyber coverage purchases.

A 2016 Zurich-Advisen survey reported 85% of senior executives consider cyber a significant risk, and the Financial Roundtable’s 2015 survey (full disclosure: I wrote the report) on board and executive governance of cyber security revealed 63% of boards are actively addressing and governing computer and information security.

That level of awareness drives sales. Marsh had a 25% increase in cyber insurance sales from 2015 to 2016, and Lloyd’s of London’s CEO, Inga Beale, reported a 50% rise in 2016. The Council’s October 2016 Cyber Insurance Market Watch Survey found retail, healthcare and financial services clients were most likely to purchase cyber insurance.

Marsh noted the healthcare, communications, media and technology sectors led the way.

Cyber insurance sales to small and midsize businesses are also likely to rise. These companies generally have not focused on cyber threats, but they are now increasingly targeted. A 2016 Advisen report says these businesses are often vulnerable and the impact on their operations can be substantial.

All of this means:

  •  The criminals will keep attacking in more ingenious ways.
  •  The cyber insurance market is a long way from stabilizing, and insurance companies will struggle for some time to figure out rates and underwriting.
  • Clients will remain confused about what cyber insurance they need and how much to buy and will have to engage in risk assessments to help them identify their vulnerabilities and the types of attacks that could have a material impact on their operations or bottom line.
  • Brokers and agents will have to do a better job of explaining policies and the types of events that are covered. They will need to understand the threat environment and how attacks can affect clients. 
  •  Legislators will respond to attacks by continuing to pass laws and regulations, such as the EU’s General Data Protection Regulation. It goes into effect in May 2018 and requires security measures and imposes stiff penalties for non-compliance. It also forces companies to examine insurance options as a means of transferring risk.

“Regardless of sector, the role of the insurance industry goes far beyond simply providing a cyber policy,” says Beale. “It spans the full life cycle—from initial risk assessments to helping build more resilient systems and infrastructure and ultimately to providing the support if and when things go wrong.”

Westby is CEO of Global Cyber Risk. westby@globalcyberrisk.com