Cyber Insurance

Cyber Insurance: Protecting Your Business From Digital Disasters

by

Cyber insurance is a type of insurance product designed to help businesses and individuals manage the financial and reputational risks associated with cyber incidents like data breaches, hacking attacks, and online fraud. Also known as cyber risk or cyber liability insurance, it works by transferring some of the risks posed by cyber threats to an insurance company in exchange for a premium payment.

Cyber insurance policies can cover a range of potential costs that could arise following a cyberattack or data breach, including:

  • Legal expenses, litigation, and settlement costs
  • Crisis management and public relations fees
  • Forensic investigation of the incident
  • Business interruption and loss of income
  • Regulatory fines and penalties
  • Credit and identity monitoring for affected individuals

The need for cyber insurance has grown in recent years, as cyberattacks and data breaches have increased in frequency, sophistication, and cost. High-profile incidents like the 2017 WannaCry ransomware attack and the 2018 Marriott data breach highlighted how vulnerable businesses are to cyber risks. No organization is immune, and the consequences of an attack can be severe.

Cyber insurance aims to soften the financial blow of these incidents so that companies can continue operating. It also incentivizes organizations to implement stronger security controls in order to qualify for coverage and receive lower premiums.

This article will provide an in-depth overview of cyber insurance, including its history, the types of coverage available, how premiums are calculated, the claims process, major providers in the market, what to look for when purchasing a policy, and limitations to be aware of. We’ll also examine the future outlook for cyber insurance as cyber risks evolve. The goal is to help readers understand if cyber insurance is right for their organization and how to evaluate policies and providers.

History of Cyber Insurance

Cyber insurance is a relatively new insurance product that emerged in the late 1990s as the internet became more widely used for e-commerce and digital operations. Here are some key events in the evolution of cyber insurance:

  • The first cyber insurance policies were introduced around 1997-1998 by companies like AIG, Chubb, and Lloyd’s of London. These focused mainly on cyber extortion threats.

  • After several high-profile data breaches in the early 2000s, demand for cyber coverage increased. Insurers expanded policies to cover costs related to data breaches, business interruptions, and media liability.

  • In 2003, the publication of California’s data breach notification law SB 1386 raised awareness of cyber risks and increased demand for cyber insurance.

  • In the mid-2000s, data breaches became more frequent and severe. Major breaches like the TJX Companies attack impacted over 94 million customers. This led more organizations to consider cyber insurance.

  • By 2011, the market for standalone cyber insurance policies was estimated to be $1 billion in gross written premiums. More insurers entered this profitable market.

  • High-profile cyber attacks on companies like Target, Home Depot, Equifax, and others continued to demonstrate vulnerabilities and drive demand for cyber coverage.

  • Today, cyber insurance is one of the fastest-growing insurance markets, now exceeding $6 billion in annual premium revenue in the US. As cyber risks evolve, policies continue to be refined.

Coverage

Cyber insurance policies can cover a range of losses, which typically fall into two main categories: first-party losses and third-party losses.

First Party Losses

First-party losses refer to direct damages and costs incurred by the policyholder. Common first-party coverages include:

  • Data loss/restoration: This covers the costs of restoring lost or corrupted data and recovering systems from a cyber attack.

  • Business interruption: Covers income loss and extra expenses due to suspended operations caused by a cyber incident.

  • Cyber extortion: Covers extortion payments and negotiation costs associated with ransomware attacks.

  • Security breach response: Covers legal, forensic, notification, and credit monitoring expenses involved in responding to a data breach.

  • Cybercrime: Covers direct financial losses due to electronic theft and fraud.

Third-Party Losses

Third-party losses refer to damages and claims brought by others against the insured. Typical third-party coverages include:

  • Liability: This covers legal defense costs and damages the policyholder is legally obligated to pay due to a data breach or cyber incident affecting third parties.

  • Regulatory actions: Covers defense costs and fines/penalties associated with regulatory actions brought by entities such as the FTC or state attorneys general.

  • Payment card liabilities: Covers assessments, fines, and costs imposed by banks and credit card companies due to a payment card data breach.

Common Exclusions

While cyber policies cover a range of losses, they do typically contain exclusions where coverage will not apply. Common exclusions include:

  • Bodily injury/property damage
  • Failure to follow minimum security practices
  • Intentional or criminal acts
  • Acts of war/terrorism
  • Patent/trade secret infringement
  • Contractual liabilities
  • Reckless disregard for security

So in summary, cyber insurance provides vital protection against a variety of cyber incidents and data breaches, covering both first and third-party losses. However, policies do contain important exclusions that policyholders should be aware of.

Pricing

Cyber insurance pricing is based on a variety of factors that help insurers quantify risk. Premiums are calculated through a process called underwriting, where insurers assess the probability and severity of potential cyber incidents.

The main factors that affect cyber insurance pricing include:

  • Industry: Industries like healthcare, financial services, and retail tend to have higher premiums due to handling sensitive data and being frequently targeted. Higher-risk industries pay more.

  • Company size: Larger companies pay more as they have a larger attack surface and more data/assets at risk. Small businesses can often get lower premiums.

  • Revenue: Companies with higher revenues pay more for coverage as they have more resources to protect and more to lose from an attack. Revenue size helps determine appropriate policy limits.

  • Previous claims/losses: Companies with past cyber incidents or claims may be considered higher risk and charged more. Those with losses tend to see increased premiums.

  • Security controls: Companies that demonstrate strong security like encryption, firewalls, and robust incident response may qualify for discounts on premiums. Lacking security raises rates.

  • Coverage limits: Higher policy limits equal higher premiums. More extensive coverage is more expensive. Companies can lower costs by reducing limits or accepting more risk via higher deductibles.

Premiums for cyber insurance increased dramatically in 2019 and 2020 due to the rise in ransomware and data breaches. However, the market is starting to stabilize. Companies can potentially lower costs by taking cybersecurity more seriously. The better protected from threats a company is, the more reasonably priced the insurance.

Claims

Cyber insurance claims have been steadily rising over the past several years as cyber-attacks become more frequent and sophisticated. Here are some key statistics on cyber insurance claims:

  • The number of claims being filed is increasing rapidly. One estimate shows that cyber insurance claims increased by over 30% from 2020 to 2021.

  • The average value of cyber insurance claims is around $200,000, but claims can range from a few thousand dollars to over $1 million for major data breaches.

  • The most frequent causes of cyber insurance claims are ransomware attacks, business email compromises, data breaches, and distributed denial of service (DDoS) attacks. Ransomware alone accounts for over 50% of claims costs.
  • The claims process typically involves notifying the insurer right away after an incident occurs. The policyholder works with the insurer to determine coverage, coordinates with forensic investigators, notifies affected parties if needed, and negotiates ransoms in the case of ransomware.  
  • The insurer may provide access to legal counsel, public relations services, credit monitoring services, and network security services as part of the claims process. The insurer pays covered costs directly to service providers.
  • Claims are often complex and time-consuming to resolve. The entire process from incident to claim closure can take months in many cases. Prompt incident response and good record-keeping are important for smoother claims processing.

So in summary, cyber insurance claims are rising rapidly in step with increasing cyber-attacks. Ransomware is the biggest driver of claims, but other attacks can also lead to costly claims. The claims process involves coordination between the policyholder and insurer to cover expenses and services for the incident.

Major Providers  

The cyber insurance market is dominated by a handful of large insurance companies. The top providers include:

  • **AIG**: The market leader in cyber insurance, AIG holds around 20% market share. They offer a range of cyber risk management solutions for companies of all sizes, including data breach insurance, network liability, cyber extortion, and more.  
  • **Chubb**: One of the largest property and casualty insurers, Chubb has a strong presence in cyber insurance. Their solutions cover data breaches, business interruption, cyber crimes, and digital media liability.
  • **AXA XL**: This leading commercial insurer provides tailored cyber insurance for mid-size to large companies. Their policies cover costs associated with data breaches, cyber extortion threats, and online media liability.  
  • **CNA**: As an early provider of cyber insurance, CNA has accumulated deep expertise in this space. They offer comprehensive policies to help clients manage and mitigate cyber risks.
  • **Zurich Insurance**: A major global insurer, Zurich offers cyber insurance as part of their professional liability offerings. Their policies are targeted at mid-size to large firms.

While these major carriers dominate the market, there are also many smaller providers emerging to meet the demand for cyber insurance from small businesses and startups. The competitive landscape continues to evolve as cyber risks become more pervasive.

Purchase Considerations

As cyberattacks and data breaches continue to rise, most organizations need to consider purchasing a cyber insurance policy. However, not all policies or providers are equal. Here are some key factors to evaluate when purchasing cyber insurance coverage:

Who Needs Cyber Insurance?

Cyber insurance is crucial for any organization that collects or stores sensitive data, such as:

  • Financial services firms
  • Healthcare providers 
  • Retailers
  • Educational institutions
  • Government agencies

Essentially any organization that faces cyber risks should strongly consider obtaining coverage. The costs of recovering from an attack without insurance can easily cripple an organization.

Evaluating Your Coverage Needs

  • Consider the type and volume of sensitive data you collect and store, such as customer records, employee records, intellectual property, or medical data. The more sensitive data you have, the higher your risks.
  • Assess your security controls and defenses. Organizations with weak security practices face greater risks.
  • Analyze your reliance on technology and internet-connected systems. The more reliant your business operations are on technology, the more you need cyber insurance.
  • Review your compliance obligations for data security and breach notification laws. Non-compliance can lead to heavy regulatory fines.

Key Factors in Selecting a Policy

When comparing cyber insurance options, look for policies that cover:

  • Breach response services, including legal, investigation, and notification costs
  • Network and data recovery and restoration expenses  
  • Loss of income or business interruption damages
  • Liabilities arising from lawsuits, regulatory actions, and contractual breaches
  • Extortion and ransomware payments (often with limits)
  • Reputational harm and crisis management services

Also consider policy limits, exclusions, deductibles, and the insurer’s reputation and experience with cyber claims. Work with a broker who understands your risks.

Policy Limitations

Cyber insurance policies have a number of limitations that policyholders should be aware of before making a claim. Understanding these gaps in coverage can help organizations make more informed insurance purchasing decisions.

**Exclusions**: Policies may have exclusions for certain types of cyber events like war, terrorism, or illegal acts by the insured. Acts by rogue employees may also be excluded. Intellectual property theft and reputational damages are typically excluded as well.

**Prior Acts**: Most policies only cover incidents that occur after the start of the policy period. Anything prior to the policy inception is excluded.

**Affiliate Coverage**: Damage from a breach at an affiliate or subsidiary may or may not be covered depending on the policy language. This is an important consideration for large enterprises.

**Non-Tech Businesses**: Insurers may deny claims from non-tech companies if it is determined they lack adequate IT security protections. Having robust controls and safeguards in place is key.

**Contract Language**: Vague policy wording related to costs like forensic investigations, legal services, crisis management, and regulatory penalties is a frequent denial reason. Precision is important.

**Policy Limits**: With limits on dollar amounts for different coverage areas, large-scale breaches can easily exceed maximums leading to denial for anything above the limit. Sufficient limits must be purchased.

**Causation Challenges**: Insurers may dispute whether a cyber attack directly caused a claimed business loss when other factors are present. Causation must be firmly established.

**Better Coverage**: Work with brokers to carefully evaluate and negotiate policy language. Be proactive about risk mitigation. Increase limits where warranted. Stay vigilant about coverage gaps.

Future Outlook

The future of the cyber insurance industry looks bright, with projections of strong growth in the coming years.

  • New regulations require organizations to bolster cybersecurity defenses. This includes regulations like the EU’s General Data Protection Regulation (GDPR) which mandates data breach notification and penalties. Adopting cyber insurance is an approach for organizations to offset regulatory and litigation risks.
  • Greater availability and affordability of cyber insurance policies, as more insurers enter the market and increase competition. Policy options and coverage are expanding while premiums drop.

Improved risk analytics enable insurers to better estimate potential losses and offer enhanced policies. Underwriting is evolving from a one-size-fits-all approach to more customized policies.

Emerging trends that will shape the future of cyber insurance include:

  • Greater product specialization** – Insurers are offering more focused products for specific industries and risk types, moving beyond one-size-fits-all policies.
  • Use of AI for risk assessment** – Insurers are utilizing AI and advanced analytics to better evaluate and price cyber risks on an individualized basis. This enables more accurate underwriting.
  • Adoption of cyber hygiene standards** – More insurers are requiring policyholders to implement cybersecurity best practices as a condition of coverage. This improves risk management.
  • Internet of Things (IoT) and blockchain solutions** – Insurers are investigating technologies like IoT monitoring and blockchain as methods to boost security and mitigate cyber risks.
  • Synergies with managed security services** – Partnerships between cyber insurers and IT/security firms are emerging, bundling insurance with services like SIEM monitoring and incident response.

Innovation and growth will remain high as insurers respond to the rapidly evolving cyber risk landscape. Companies wanting protection need to closely evaluate policy options as cyber insurance continues advancing.

Conclusion

Cyber insurance has emerged as an important tool for businesses looking to protect themselves in an increasingly digital and interconnected world. Key points covered in this article include:

  • Cyber attacks and data breaches are on the rise, with costs averaging in the millions of dollars per incident. Cyber insurance can provide financial protection against these costs. 
  • Policies typically cover expenses like forensic investigations, legal liabilities, crisis management, and victim compensation associated with cyber incidents. Extra coverage may be available for business interruption and cyber extortion.
  • Pricing varies based on company size, industry, revenue, and cyber risk level. Factors like security controls and past breaches also impact premiums. Rates range from a few thousand to over a million dollars annually.
  • The claims process starts with promptly notifying the insurer. They will assist with response coordination and coverage determination. Claims could be denied over policy exclusions or investigation findings.
  • Major insurance providers include AIG, Chubb, Travelers, and CNA. Brokerages can help find tailored solutions from specialty insurers. Look for experienced underwriters with cyber expertise. 
  • Consider policy limits, exclusions, deductibles, and add-ons when purchasing. Also, review the insurer’s reputation and claims service. Update coverage regularly as exposures change.
  • Policies cannot cover every cyber risk. Focus on good security and planning in addition to transfer of risk through insurance. 

Cyber threats will continue evolving, but cyber insurance can be a key component of an organization’s risk management strategy. As incidents become more frequent and severe, coverage and adoption rates will likely continue rising. Cyber insurance provides another layer of defense in our increasingly interconnected world.

Leave a Comment