September 20, 2017
Increasingly pervasive threats to cybersecurity have jumpstarted the cyberinsurance business to reach beyond technology companies, its core customers. Covering financial loss, including theft of data and ransomware, cyberinsurance is reportedly the fastest-growing coverage among U.S. companies; cyberinsurance firms provide competing tools to distinguish their offerings in the marketplace. Insurance is not in lieu of good security practices, but the idea of cyberinsurance is appealing even though it is largely untested.
The Wall Street Journal quotes Travelers Co. executive Tim Francis that, “there’s so much new coverage out there that hasn’t been tested.”
“One day there will be certain claims and we’ll figure out if the words we used to convey coverage actually say what we thought they meant, which is often up to a lot of lawyers,” he said.
Fitch Ratings reports that the cyberinsurance industry grew 35 percent in 2016, “with total premiums of $1.35 billion,” adding that this “likely underestimates” the industry’s size. Allied Market Research predicts that, “the global market may reach $14 billion by 2022.”
Prominent hacks and ransomware attacks (such as WannaCry in May, which locked up hundreds of thousands of computers) spur companies to buy insurance, say the experts, but also “new laws such as the European Union’s General Data Protection Regulation that takes effect in May 2018.”
“There has been a legal imperative, and along with that, company awareness of the issue has grown,” said Insurance Information Institute consultant Claire Wilkinson, who notes that today’s cyberinsurance covers “a vast array of computer-related risks.” The risk of not having cyberinsurance has also grown: shipping conglomerate A.P. Moller-Maersk said a recent attack “will cost the company between $200 million and $300 million.”
Elsewhere, WSJ reports that cyberinsurance companies are now looking at better ways to evaluate potential clients’ risk, since traditional questions about risk exposure and security practices may not “indicate whether or not a company will be targeted by cybercriminals.”
American International Group and Travelers, among other companies, “have started to join with independent security-rating companies to get a better picture of risk,” by collecting data on cyberattacks and trying “to create standard scoring systems to indicate the likelihood that a company will suffer an attack or won’t be able to adequately respond to one.”
Ratings firms use Freedom of Information Act requests, news sites and other data “publicly available through state notification laws” — as well as “listening in on hacker chatter in hard-to-reach corners of the Internet” — to amass relevant data and create scores.
Security-rating firm BitSight Technologies “rates companies on a scale of 250 to 900, with scores below 500 considered poor and above 700 considered good.” Companies “at the low end of the scale are five times more likely to suffer a data breach than a company at the high end of the scale,” said the company’s chief technology officer Stephen Boyer.
“Not everyone feels comfortable about getting rated,” said Boyer. “They don’t like the idea that insurers can see where they have gaps. But insurers want to be much more proactive instead of waiting for a claim.” The U.S. Chamber of Commerce also introduced “a list of principles for ‘fair and accurate’ cybersecurity ratings signed by 44 companies,” including Aetna, Bank of America, Microsoft and Starbucks.