It could be the new online business corollary to “if you can’t beat ’em, join ‘em”: If you can’t prevent breaches, insure ‘em.
As companies big and small embrace the fact that cybercriminals will find a way into their digital enterprise, one way or another, cyber-insurance has seen a rapid uptick in popularity. While still a relatively small sector compared to other types of insurance products, so-called cyber-insurance or cyber-liability insurance, offers protection and remuneration to businesses that have experienced an online intrusion or digital data theft. Depending on the policy, cyber-insurance can cover the cost of notifying customers of a data breach, post-breach forensic research, recovering lost data, repairing impacted corporate systems, and legal fees and expenses related to the intrusion.
While insurers like Chubb have offered cyber-insurance for two decades or more, the coverage has only recently become popular as companies have come around to the idea that it is not really a question of whether their systems will be breached, but when. Jake Kouns, the chief information security officer for Risk Based Security and a long-time evangelist for cyber-insurance, says he is seeing a huge uptick on policies as “people are finally more open to having this conversation. Now people are asking questions and wanting to know more about what is going on with cyber-insurance.”
Speaking at the cyber-insurance “micro summit” at last month’s Black Hat USA conference in Las Vegas, Kouns and his fellow presenters expounded on the exponential growth in the cyber-insurance market as corporate breaches have become daily headline fodder. PwC has found that only three out of 10 companies currently possess cyber-insurance of any kind, and Jeffrey Smith, managing partner with Cyber Risk Underwriters, and another presenter at Black Hat USA, said that 60% of the small-to-mid-sized businesses lack cyber-insurance.
Experts, however, believe the market is poised to boom. PwC estimates that the amount of gross written premiums will triple from $2.5 billion last year to $7.5 billion by year-end 2020. What’s changed to create this growth? In addition to more companies coming around to the concept that wily cybercriminals will find a way in, increased education about cyber-insurance is clarifying many of the early misconceptions about this type of coverage, according to Smith. For example, in the highly publicized 2016 case P.F. Chang’s and Federal Insurance Company, the US District Court of Arizona held that the cyber-insurance policy held by the popular restaurant chain did not cover fees to reimburse its card processor after P.F. Chang’s suffered a data breach. Exclusions like this have made many companies wary of how much a cyber-insurance policy will help.
Typically, it is the office of the chief financial officer (CFO) leading the charge on cyber-insurance, not necessarily the chief information security officer (CISO). But cyber-insurance is an arena where multiple departments may play a role—including legal, human resources, and lines of business, as well as security. And as the coverage becomes more popular with policyholders, more insurers are beginning to offer it. In 2017, 170 US insurers reported writing cyber-insurance policies, up from 140 in 2016 and 119 in 2015, according to Aon’s U.S. Cyber Market Update.