Cyber Attacks Remain a High Risk, and More Enterprises are Buying Insurance for Protection

Reading time: 6 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

The Society of Actuaries (SOA), the world's largest actuarial professional organization, recently released its annual survey of emerging risks in conjunction with other partner organizations. The good news for security programs is that cyber risk for the first time in five years was not ranked at the top of the list. The bad news is that cyber security is still a formidable challenge for organizations.

Knocking cyber security from the top spot is climate change, which ranked as both the top current risk and the leading emerging risk, according to the 12th Annual Emerging Risks Survey of Risk Managers from the Joint Risk Management Section (JRMS) of the Canadian Institute of Actuaries (CIA), Casualty Actuarial Society (CAS), and the Society of Actuaries (SOA).

The study is based on an online survey of 267 risk managers worldwide conducted in November 2018, and shows that risk managers perceive climate change (12%), cyber risk (11.6%), and financial volatility (11.2%) to be the three greatest current risks.

While climate change edged out other risks this year, it is important to note that cyber risk is still a strong threat, the study said. The emerging risks follow a similar pattern as the current ones, with climate change ranking first (22.2%), cyber risk second (14.8%), and technology third (13.2%).

Perhaps not surprisingly—given the high level of risk involved with information resources and the ongoing increase in sophistication of attacks—demand for cyber security insurance is on the rise worldwide.

The global cyber insurance market was valued at $2.92 billion in 2018 and is expected to reach $16.7 billion by the end of 2024, according to a recent report from Orbis Research. That represents a compound annual growth rate (CAGR) of 34% between 2019 and 2024.

Cyber insurance protects businesses and individual users from Internet-based risks, and more broadly from risks relating to IT infrastructure and activities. Risks of this nature are not typically included in traditional commercial general liability policies, or at least are not specifically defined in traditional insurance products, the report noted.

Cyber insurance policies might include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial-of-service (DOS) attacks.

“With cyber attacks becoming the norm these days, even threatening to expand into a global epidemic, cyber risk insurers across the globe are seeing organizations and end users scramble for protection from possible data and information security disasters,” the report said.

In terms of regions, North America dominates the cyber insurance market, accounting for nearly 90% of the overall market. Mandatory legislation regarding cyber security in several U.S. states has led to higher penetration of cyber liability insurance policies, the report said.

Europe had much less penetration of cyber insurance policies at the time the study was conducted. But the emergence of regulations such as the General Data Protection Regulation (GDPR) that took affect in May 2018 was expected to push organizations to purchase such insurance policies.

Most cyber insurance writers have shifted to standalone policies and away from packaged policies, the report said, because insurers view standalone policies as more efficient and effective than packaged policies.

A January article in Insurance Journal noted key trends that will likely drive the cyber insurance market forward this year. One is the emergence of new regulations. There has been a recent increase in laws such as GDPR that are related to the privacy of data including personally identifiable information (PII). One of the ways organizations can address the risk stemming from these laws is through cyber insurance.

Another trend is the development of the cyber insurance linked securities (ILS) market and cyber risk pools. Insurance professionals are looking for ways to expand the availability of cyber insurance and creative ways to enter the market, the article noted. Cyber pools can potentially provide a means of offering cyber insurance to corporate buyers and the use of capital markets funding can allow for larger policy limits for specific use cases.

A third trend is growing awareness of silent cyber risk. Insurers are gradually realizing that they have unquantified exposures and are seeking ways to quantify their exposures and give them the option to change or exclude coverage in other lines that might leave them overly exposed.

Yet another trend is the growth of cyber managing general agents (MGAs) and managing general underwriters (MGUs) worldwide. The increase of cyber-focused MGAs is most likely due to the need for deep expertise on the risks faced with providing cyber insurance and the need for dedicated efforts to address the needs of cyber insurance purchasers, the article said.

Finally, the role of the board of directors regarding cyber security continues to grow. Breaches can affect an entire organization and have a major impact on business operations. Cyber security is now considered an enterprise-wide risk management issue, with broad legal and regulatory implications. That means boards will likely be more interested in companies investing in cyber insurance policies.