Six in 10 companies have purchased cybersecurity insurance in the past year, helping make the cybersecurity insurance sector the fastest-growing in the insurance market, pacing with the IT security global expenditures.
A recent PwC report forecasts the global cyber insurance market will reach $5bn in annual premiums by 2018, and $7.5 billion in annual sales by 2020, from $2.5 billion this year. Worldwide spending on information security will reach $75.4 billion in 2015, an increase of 4.7 percent over 2014, according to a forecast from Gartner. The cost of managing cyber-security is expected to increase 38% over the next 10 years to almost $100 billion as companies increasingly spend on cybersecurity tools, according to a RAND Corporation study. Worldwide spending on cybersecurity will grow at 10% to 15% annually. The cybersecurity insurance market will allegedly double risk-control processes and cover security flaws exploited by attackers.
As Gartner has explained, spending increases driven by government initiatives, increased legislation and high-profile data breaches. The breach has become a booming phenomenon: one in four US technology executives say their company has suffered a security breach in the past 12 months and they plan to spend more on IT security in the next year, according to a survey by advisory firm KPMG. Three quarters of technology executives expect their companies to spend 1 to 5 percent of their revenue on IT security over the next 12 months.
The Global State of Information Security Survey 2016 from PwC points out that information sharing and advanced cybersecurity technologies will not stop all cyberattacks, as technically adept adversaries will always find new ways to circumvent cybersecurity safeguards. It is the main reason why many businesses buy cybersecurity insurance to mitigate the financial impact of cybercrime.
First-party insurance products cover data destruction, denial of service attacks, theft and extortion; they also may include incident response and remediation, investigation and cybersecurity audit expenses. Other key areas of coverage include privacy notifications, crisis management, forensic investigations, data restoration and business interruption. The insurance industry is attempting to expand into policies that cover the value of lost intellectual property, reputation and brand image, as well as cyber-related infrastructure failures, the report shows.
In addition to mitigating financial risks associated with cybercrime, companies that purchase insurance stand to gain a better understanding of their cyber-readiness. In general, insurers require a thorough assessment of current capabilities and risks as a precondition to purchasing a policy. These evaluations can help businesses better predict legal and regulatory exposures, costs of response, and potential brand damage related to cybersecurity risks.
Some managers consider that today’s cybersecurity policies do not deliver the right mix of value and risk management. The Canadian Imperial Bank of Commerce (CIBC) has been evaluating cybersecurity insurance for several years, and has been monitoring the policy landscape as it matures, the report shows.
“Our security and our corporate insurance teams analyze and review risks that our bank faces on an annual basis and views these in the context of available policies and associated costs,” said Joe LoBianco, CIBC’s vice-president, in the report. “Based on this analysis, we have not selected cyber insurance, primarily for its lack of readiness. The biggest concerns we have around cyber breaches have to do with the safety and security of our clients’ information and ensuring their utmost trust in our bank, and that’s much more difficult to insure.”
Another vexing issue for many organizations is determining how much cybersecurity insurance to purchase. There is no one-size-fits-all policy recommendation, however.
“Generally, businesses should understand that they won’t be able to insure the full risk of loss because the market just doesn’t have the supply yet,” said PwC Principal Joseph Nocera. “Looking at some of the big breaches that have occurred in the past year or so, many large firms are trying to get $80 to $100 million policies, while smaller companies are settling on $10 million policies. There’s no one answer, however, because there are an array of individual variables, such as company size, industry sector, types of data the organization stores, the maturity of security controls and individual risk tolerance. It’s also important to remember that no insurance products will protect a firm’s reputation or brand.”
According to Paul Delbridge, insurance partner at PwC, “as Boards become increasingly focused on the need for safeguards against the most damaging cyberattacks, insurers will find their clients questioning how much real value is offered in their current policies.”
“If insurers continue to simply rely on tight blanket policy restrictions and conservative pricing strategies to cushion the uncertainty, they are at serious risk of missing this rare market opportunity to secure high margins in a soft market. If the industry takes too long to innovate, there is a real risk that a disruptor will move in and corner the market with aggressive pricing and more favourable terms”, Delbridge added. “Given the high costs of coverage, the limits imposed, the tight terms and conditions and the restrictions on whether policyholders can claim, many policyholders are questioning whether their policies are delivering real value. There is also a real possibility that overly onerous terms and conditions could invite regulatory action or litigation against insurers.”
PwC suggests that insurers, reinsurers and brokers can capitalise on the cyber risk opportunity while managing the exposures by maintaining their own cyber risk management credibility through effective in-house safeguards against cyberattacks, and by evaluating Probable Maximum Losses and extreme events/scenarios, and monitoring and modifying them regularly as new types of attack arise.
Some 61% of business leaders across all industries see cyberattacks as a threat to the growth of their business, and 2014 saw an average of 100,000 global security incidents a day.