cyber tuesday logo smallerAs the cyber threat to businesses around the world has grown, so has interest in insuring against losses related to cyber crime. An increasing number of insurance providers have begun offering cyber threat products, and the expectation is that the market will grow dramatically. Financier states that between 2012 and 2014, the size of the mark almost trebled, with estimated gross written premiums rising from $850 million to approximately $2.4 billion – and 2015 could see the market hit $4 billion.

We’ve argued previously that insurance has significant value, and going through the process of purchasing coverage can offer buyers insight about the risks they face and the steps that should be taken in their cybersecurity program to meet minimum qualifying criteria. But, all along there’s been an accompanying recognition that the insurance industry has lacked the actuarial data that would enable really meaningful analysis and facilitate the evolution of the market. Now, thanks to an unending series of high profile attacks, we’re beginning to get the data, and as the insurance industry responds, the word that comes to mind is, “Yikes!”

Reuters just reported that “A rash of hacking attacks on U.S. companies over the past two years has prompted insurers to massively increase cyber premiums for some companies, leaving firms that are perceived to be a high risk scrambling for cover. On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that.” Reuters further reports that cyber insurance rates for retailers went up 32 percent in the first half of 2015, and that deductibles are rising rapidly while limits are being capped.

We can expect even more churn in the insurance market as attacks continue and exposure data is refined. Putting the $4 billion projected 2015 insurance market in context requires keeping in mind that a 2014 study, “Net Losses: Estimating the Global Cost of Cybercrime,” conducted by software security firm McAfee for the Center for Strategic and International Studies, estimated that cybercrime costs the global economy $445 billion a year. Eventually the insurance market will become more efficient and effective. Standards will evolve and should improve defenses and have a salutary effect on losses, and good insurers will play the role of risk engineers.  In the meantime, what’s that word again? Yikes!


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

October 13, 2015