The New Normal: Cyber Security Insurance

You may not have realized it, but in 2014 the IT security industry hit a tipping point. That’s when many of the world’s largest corporations realized that cyber security was no longer just a technical problem for the IT department or an audit issue for the Chief Compliance Officer. Instead, it was a potentially catastrophic risk that executives and corporate boards had to address.

In the wake of dozens of high-profile security breaches, costing corporations tens of millions of dollars, c-level executives heard the wake-up call. There was no denying that cyber security risk was one of the biggest threats facing today’s organizations.

That’s when the market for cyber security insurance began to take off.

According to a recent study by PwC, the current cyber security insurance market is around $2.5 billion and is expected to triple to $7.5 billion by 2020, as more companies recognize the need for coverage and more insurers enter the market. Insurers say every new data breach that hits the headlines drives new demand for coverage. And there is speculation that cyber security insurance will become a regulatory requirement for some industries, like financial services, or that business partners may require it as part of contractual agreements.

So what protection does cyber security insurance offer? Typically, coverage provides protection from the financial consequences of data breaches, including things like security audits, customer credit monitoring services, and legal expenses. That means it usually does not cover longer term damages such as loss of customers, lawsuits, and reputational damage. In the Target and Home Depot cases, less than half the total cost of the breaches was covered by insurance.

Interestingly, cyber security insurance has proved to be a huge challenge for insurance companies and their actuaries. It turns out that applying mathematical and statistical methods to assess IT security risk is not easy. The wide variety of risks posed by cyber attacks, lack of knowledge to assess an organization’s security effectiveness, and the lack of historical data on breaches has made it difficult to estimate probabilities of loss and loss values. To cope with this uncertainty, many insurers have increased premiums, raised deductibles, and established ceilings on potential losses through restrictive limits, exclusions and conditions. Nonetheless, an estimated one third of large U.S. companies have some form of cyber security insurance.

What do you think? On the surface, increased awareness and focus on risk management would seem like a good thing. But at the same time, cyber security insurance could result in increased complacency once the risk is transferred. I’ll add more thoughts on the pros and cons of cyber security insurance in my next blog.