Cyber security represents a milestone for our information society, which continues to expand and influence life. The importance of the topic of cyber security is obvious in light of current news coverage. Security technologies not only improve existing systems and enable new applications, they also reshape society by challenging and redefining existing trust relationships and assumptions.
Cyber Security Insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks.
There are worrisome trends in cyber security: Attacks are more sophisticated, ransoms are rising, and uncertainty is growing. But while companies might look to cyber insurance to protect themselves from these growing risks, there’s another problem: There might just not be enough money in the still emerging sector to cover their needs. So what can companies do? They should still invest in coverage, in part to help the market grow, but they also need to look for other ways to cover their potential exposure, including self-insurance mechanisms that range from simply carrying additional capital to address future cyber attacks through the creation of specific risk-financing activities that function like insurers.
In last year, the world seemingly entered a new era of cyberattacks. Although there have been decades of viruses, breaches, and other forms of attack, last year saw increased bad actor sophistication, a propensity to pay in ransomware cases, and a broad swath of geopolitical uncertainty — conditions that hackers have found favorable.
The severity of financial consequences has been profound. Ransoms have rocketed from five-figure price tags into the millions, including $10 million reportedly paid by Garmin. Several ransom demands were far higher before being negotiated downward, according to clients of mine worldwide. All of which is further escalation of a worrisome trend: A recent report by Hiscox shows insured cyber losses of $1.8 billion in 2019, up an eye-popping 50% year over year.
Facing the prospect of major financial fallout from an attack, C-suites around the world have turned to cyber insurance. Insurers are issuing more policies, and the amounts of protection available are increasing. In 2020, according to data proprietary to the team I lead, the global insurance community saw the first cyber insurance program to exceed $1 billion — and the second.
However, the momentum that has propelled the sector this far may be running out. The cyber insurance sector may still be in its infancy, but there are signs that it’s hit a (hopefully temporary) plateau. There are a few likely causes for this slowed growth. On the demand side, despite the spate of cyberattacks, some companies are buying less cyber insurance or not buying any at all, as economic strain from Covid-19 has caused some them to look at cyber insurance as a luxury. And while more attacks could stimulate demand, they also create a supply problem, making insurers warier of providing cover and reinsurers (who provide insurance for insurance providers) less interested in backing cyber liabilities. On top of that, the lack of historical loss data (resulting from the sector’s short history) adds another layer of unpredictability for all involved.
Ultimately, though, all these drivers boil down to one simple fact: There just isn’t enough money in cyber insurance. And it’s hard to tell right now if there ever will be.
This is an important moment for the future of the sector. The cyber environment is delicate, given the combination of threat volatility, recent losses, and a nascent commitment that could be reduced or withdrawn by the insurers in the space. A wave of cyberattacks with massive insurance industry implications likely wouldn’t pose a solvency threat, but a worst-case scenario coming to pass could result in structural changes to the cyber class of business — or even an insurance industry that’s just a lot less interested in cyber. That could then result in the loss of an important risk management lever for C-suites and boards with significant technology exposure, which is to say, most major and mid-sized companies.
For companies looking to bring more cyber insurance into their risk management practices — or buy for the first time — a bit of planning is necessary. After all, we’re looking at an environment in which claims are increasing and insurers lack the historical data and overall experience to develop the analytics they’d use in more mature lines of business, such as property. To build up a sufficient amount of cyber insurance, early purchases of smaller amounts with increases over time can help prime the market to grow with the needs of the companies it supports.
Swiss Security Solutions can help you to make the right Cyber Risk Assessment, but also to implement Cyber Security E-Learning, Workshops, Training and we could help you to prevent and investigate the matter.