We’ve been writing a lot about cybersecurity insurance - most recently in Cybersecurity Insurance: Closing the Widening Risk Gap. This is a fast-moving market, and one I think that will increasingly affect how enterprises help manage cybersecurity risks. And, in the long term, insurance may even help enterprises more cost effectively and efficiently reduce risk. But the road there is going to be filled with bumps and false starts – if that end state will be reached at all.
According to a recently released report on the cyber insurance market from U.S. wholesale insurance broker Swett & Crawford, the cybersecurity insurance market is going through considerable transition, and premiums vary widely in costs and availability, depending on the vertical market of the company seeking such policies, as well as their location. Insurance companies, the report found, are positioning themselves to gain share in their burgeoning market.
“With the exception of a few classes of business where the perceived risk is high, e.g. healthcare, large retail operations and payment processors, capacity for cyber risk is plentiful,” the report stated. In an example in the report, a manufacturing client that doesn’t hold a lot of records might find insurers willing to take additional risk and increase larger limits than usual. “After the Target data breach in 2013, there was a brief hard market for retail accounts, but conditions have eased somewhat. Insurers remain cautious about writing risks where a business holds a large amount of credit card data,” the report said.
Perhaps because of difficulty measuring risks, such policies are being limited with so called sublimits and deductibles. “For example, a policy with a $1 million limit may have a $250,000 sublimit on notification and cost $4,000; another insurer may charge $7,000 for a policy with a $1 million limit; and depending on class of business, that same level of coverage from a different insurer might cost $12,000,” the report said.
According to Swett & Crawford, large global insurers tend to sublimit their cyber policies. The wide use of sublimits, to me, indicate insurance companies still face challenges measuring the risk of some policies for some vertical markets.
The good news for small businesses, Swett & Crawford found, is the price for their cyber insurance policies are trending down, while the value in the amount of coverage they can purchase is increasing.
“For organizations with fewer than 100 employees, prices are coming down, deductibles are decreasing and coverage limits are going up. Coverage can still get pricey for medium to large businesses and certain higher-hazard classes, however.
For medium size businesses, insurance is not as expensive as many business owners might expect. A lot of businesses can buy cyber coverage for $2,000 to $10,000 in premium. But it depends on the exposure, which can vary even among companies with the same amount of revenue,” the report stated.
While insurers want to embrace the cybersecurity insurance market, and certainly are embracing it to a large degree, wide differences remain in policy and coverage availability, depending on the vertical industry involved. Perhaps 50 or so markets currently offer cyber insurance. For higher-hazard classes, such as large retail merchants or healthcare entities, the number of markets willing to quote is much smaller. Product offerings continue to evolve and the market overall is fluid,” the report concluded.
The full report is available here.