In 2010, cyber insurance premiums totaled just $600,000. In 2021, the cyber insurance industry wrote $10 billion in premiums. The global market is expected to grow 20% annually and reach $23 billion in underwriting premiums by 2025, according to the Swiss Re Institute. Cyber insurance is a large and rapidly growing market. It’s easy to understand why.
Cyberattacks are now seen as an existential threat to the digitized, global economy. Cyberattacks continue to grow in frequency and severity, and high-profile attacks like SolarWinds, Microsoft Exchange and Colonial Pipeline got public and private organizations to wake up. Companies need to insulate themselves from cyber risk. Insurance companies want to sell premiums in a new market.
Various forms of cyber insurance have been available since the late 1990s, but the market remained in its infancy stage until 2019. These last few years—after being trounced in pandemic-era losses—have made insurers realize just how immature the market has been.
A healthy, thriving cyber insurance market requires the insurance industry to get innovative. It also opens the door for new entrants to the market, with a new class of emerging cyber startups racing to solve the deep technical hurdles inherent in understanding, measuring and mitigating cyber risk. There’s a multibillion-dollar market waiting for those that get it right.
Growing Pains Of A Maturing Insurance Market
The standards we associate with insurance risk tables—and the historical data to reference—don’t exist in the cybersecurity industry. So, the question becomes, how do you score cyber risk? How do you price that risk? And how do you deliver products and services to the marketplace in response to that risk?
Insurance providers incorrectly answered with products that didn’t match risk, culminating in direct loss ratios reaching an average of 47% in 2019 and growing to 72% in 2020, per data from regulators. This resulted in a pendulum swing in 2021 and 2022, with some insurers leaving the market, significant price hikes doubling and tripling premiums, reductions in policy limits, restrictions to terms and conditions, more stringent hurdles and extended timelines for the underwriting process.
Rising premiums and excessively restrictive coverage leave companies—especially small-to-midsized organizations—unable to participate in this essential market. A recent report on the state of cyber insurance showed only 55% of organizations have cyber insurance, and of those, over one-third (37%) aren’t covered for ransomware payments.
Challenges In Cyber Insurance
Part of assessing risk is being able to measure the frequency and severity of events. This is what makes cyber so challenging.
In cyber the threats are constantly evolving. Criminal organizations, state-sponsored attack groups, lone hacktivists, AI-powered botnets, disgruntled employees and other bad actors are risks. Companies might be targeted or they might be selected randomly. The old rules of factoring and probabilities are thrown out the window.
Cyber is also unique in that a single attack or vulnerability has the potential to scale and compromise thousands of organizations. SolarWinds and Log4j are examples. A cyberattack on a power grid could cause failure to a number of other connected critical infrastructure operations. There’s also no way to project spillover damage from cyberattacks. When Russia targeted Ukraine with NotPetya in 2017, the spillover damage the malware caused as it jumped around the world was estimated to be over $10 billion.
These uncertainties and unknowable possibilities make underwriting cyber insurance incredibly challenging. How do you build a thriving insurance market when so much seems up to chance?
What Steam Boilers Can Teach About Cyber Insurance
The Hartford Steam Boiler Inspection and Insurance Company is a fascinating historical case study on product and insurance market innovation.
It starts in the mid-to-late 19th century, as America enters the Industrial Revolution. Boilers were the driving force, generating steam energy that powered industrial machines, trains and steamboats. There was limited knowledge of the properties of steam, and boiler explosions were common, happening at the rate of once every four days.
From The History of Hartford Steam Boiler: “Most dismissed these incidents as ‘acts of God.’ People who ran industrial concerns simply assumed that their boilers would explode and they would lose one or two other workers.” The future founders of The Hartford Steam Boiler Inspection and Insurance Company “had other ideas.”
They looked for a scientific reason behind the explosions. They developed a new boiler design, the Hartford Loop, that addressed the problem. With periodic inspections and services to the boiler, they could reduce or stop boilers from exploding. To scale safety and loss prevention, they incentivized inspections with insurance offerings.
They used their engineering knowledge to build risk mitigation into a product and drove adoption through insurance, saving lives while increasing profits on both sides.
Cyber Insurance Factored On A Continuous Scale
For cyber insurance to be viable—and perhaps ubiquitous—some things are going to have to change. It’s also clear, given how various-size organizations pursue their cybersecurity, there is no one size fits all.
For sophisticated larger organizations, insurers are likely to demand better visibility (and accountability) into the organization’s cyber posture. Continuous controls monitoring (CCM), an emerging concept designed to measure, on an ongoing basis, the security posture within an organization based on the spectrum of tools deployed, may hold the answer here.
An integrated and holistic measure of cybersecurity, indicating gaps and priorities, can provide the framework and data that insurers are likely to demand. This same framework will also be responsive to increased regulatory oversight being driven by government authorities.
For smaller organizations (that are no less at risk) that secure their enterprise through services organizations—such as specialized managed security service providers, or more general managed service providers—insurance could be embedded in the “service.”
Use their platform, and they will insure you against cyberattacks—putting their money where their mouth is. At the end of the day, that is going to be what it takes. Insuring against the risk and consequence of cyberattacks needs to be a shared responsibility if there are going to be shared costs and accountability.