Cybersecurity insurance is a product that is offered to individuals and businesses in order to protect them from the effects and consequences of online attacks. This product is a recognition of the inherent dangers of storing customer information online and the risks businesses face in this online age.

Cybersecurity insurance can be obtained as a first-party product that focuses on compensating or mitigating the costs that are borne by the holder of the policy. It can also be sold as a third-party insurance product that covers the businesses and people that are found to be “responsible” for a breach. Sometimes you will be encouraged to add “Errors and Omissions” coverage to your policy as well for added protection.

Cybersecurity insurance is a product that is growing quickly in terms of scope and size. Currently, it remains a niche product despite the fact that the vast majority of people have used the internet directly or indirectly at one point in their lives. The reason for the relatively limited coverage is primarily because both the service providers and customers are just becoming accustomed to the product. There is a lack of awareness regarding cybersecurity in general, the risks companies are taking on a day-to-day basis and that most of their regular business insurance does not cover data breach incidents.

Introduction to Cybersecurity

Cybersecurity insurance has been a concern for the industry and the government as far back as the 1990s. At that time, one of the biggest threats was intellectual theft and copyright infringement. Some of the big players in the computer industry were worried about other rivals stealing their innovations and presenting them as their own. By the end of the decade, many people in the industry were beginning to realize that this was not just about copyright theft. It was also about information security as a wider concern. At that point, consideration was given to the possibility of coming up with risk management tools that would help the industry to cope with the threats it faced.

As is often the case in these situations, it took the occurrence of two major incidents for all the players within the industry to take notice. The first was the Y2K concern about computers shutting down permanently at the end of the millennium because they were not properly programmed. Then, the terrorist attacks on September 11, 2001 shattered the idea of a safe Western world that could effectively insulate itself from the problems of the rest of the world. It is this ethos of concern that has eventually persuaded governments to place emphasis on cybersecurity insurance as a key resource for small and medium businesses (SMBs). The financial crisis of 2008 also demonstrated that even the big corporations may require support from the government from time to time.

The banking industry started giving serious consideration to the development of cybersecurity insurance products because banking is an increasingly internet-based activity. Lloyds developed the first such product in 2000. The initial product configuration was restricted to third-party costs as well as some coverage for business interruptions. One of the big concerns for companies was the potential for being sued for inadvertently transmitting a virus or cyber-attack to other business entities. Eventually, this led to the modification of the original policies so that they included both the first and third-party elements. Some of the costs that are still covered today include:

  • Business Interruption
  • Penalties and Fines
  • Costs of Monitoring Credit
  • Costs Related to Public Relations
  • Costs associated with Rebuilding or Restoring Private Data

This is not a static list by any stretch of the imagination. Rather, it is one that continues to grow in response to the needs of the industry and its customers. For example, there have been efforts to cover any errors and omissions that are committed during the software development phase. Where such software programs are sold to third parties, the potential for being sued is quite significant. Indeed, in the USA, the potential for litigation extends even to the mere act of giving advice that later turns out to be inappropriate. Currently, the cyber market consists of about 80 major companies with countless more operating under a large company’s umbrella.

Innovations in the Industry

The increase in the number and significance of unexpected and expected cyber losses has given consumers a reason to reconsider their insurance needs. Some businesses are opting to add cybersecurity insurance for good measure. It is worth noting that the nature of the threats keeps changing, so there is no definitive list of products within this category. Insurers are constantly coming up with alternatives that address the threats as they see them within the industry. A case in point is the underwriting criterion that insurers use. This part of the industry is still very much in the developmental stage and some level of experimentation is to be expected.

One of those options is to make cybersecurity insurance part of the IT security services that are offered on a regular basis. Indeed, those companies that specialize in creating security products for the internet are also partnering with insurers in order to ensure that they are addressing the real needs that have been expressed during the consultative process. The government has a stake in this industry given the large losses that could potentially arise if there is no coverage. If the insurer is able to help a business back on its feet after a qualifying incident, it saves the government the money and effort required to provide corporate welfare to such companies.

Nevertheless, it is imperative to expand the pool of potential clients given the fact that this remains a relatively niche sector. Having too few providers can lead to monopoly or oligopoly. Having too few consumers can lead to a concentration of risk and increment in potential losses. At the same time, the industry has to ensure that there are no free-riders who are getting generalized protection without paying premiums for it. That is what would happen if the burden of compensation fell on the government alone.

What Is Cybersecurity Insurance?

Cybersecurity insurance is an essential risk management tool for IT companies, tech companies, and any other company that has access to a lot of personal information, especially informaiton that is sensitive in nature. This insurance product is designed to mitigate losses from a data breach, network damage or other cyber interruption such as a hack that keeps systems down causing loss of revenue. The industry is growing and changing and is adding more robust offerings to its products.

Some of the key issues for the industry as it reconfigures its services include the following:

  • a

    There is a wide diversity of users. Some of them are high-risk. Others are low-risk. But, all are competing for a few products within a small market.

  • b

    The adverse risk selection process keeps out those that need and want the insurance most out of the market because the insurer cannot take on the risk that they are assigned.

  • c

    High-loss probabilities result from the inadvertent actions or omissions of the client including not having the right protective infrastructure in the first place.

  • d

    There is a lack of positive externalities. The industry is not developed enough to attract other partners to ensure that the service user gets a comprehensive package of support.

Ultimately, the structure of cybersecurity insurance is designed to ensure that people who are operating on the internet are not subjected to externalities over which they have limited control. Therefore, the ones that buy cybersecurity insurance policies attempt to internalize the externalities through pooling risks together. The wide and diverse risks spanning the sector are still making it difficult for many smaller companies to join the sector.

Currently, the United States has about a 90 percent exposure rate, About 50 different companies are still able to provide this service, but only five underwriters in the USA are willing to take on cybersecurity insurance. Those that still reject this type of product face significant risks. As late as 2017, there was a major malware incident that affected many businesses. By 2025, it is estimated that the total cybersecurity insurance premiums in the USA will stand at about $20 billion. That is a 1000% increase in their value since 2015. As the market matures and there is increasing standardization, such growth figures will no longer be a surprise.

Why Do Companies Need Cybersecurity Insurance?

The main reason for purchasing this type of product is the fact that the risks it tries to cover are real, and they are happening in the real world today. Cyber attacks are on the rise in terms of their number and level of sophistication. Likewise, the potential and actual impacts of these attacks are making companies think again about the wisdom of not having comprehensive cybersecurity insurance. Another potential problem is that the nature of risk for online businesses is continuously changing. That means that those that are already uninsured are likely to face even more problems in the future. Those that have inadequate coverage will also be in a similar boat.

The other issue to consider is the fact that the government generally no longer wants to give out support to businesses that are failing. That means that the protections that once existed are no longer in place, and businesses are essentially on their own if an incident happens. Companies that are uninsured may end up paying more than their own costs. This is because third parties can make claims that the courts will definitely entertain. Besides, the potential losses can be quite large for incidents such as a world virus infection.

Ten Reasons a Company Should Get Cybersecurity Insurance:

  • Protect against data loss due to hackers and other criminal elements.

  • Protect customers and suppliers so that they are not inconvenienced by major incidents.

  • Give investors and funders some confidence that the company is not going to collapse the moment there is a successful claim.

  • Ensure that the company is getting in line with all the regulations and requirements of the state within which they operate.

  • Provide an example of best practice to subsidiaries and parent companies that are not already insured.

  • Take care of unexpected and unexplained changes in the nature of the threat that is faced by all those who use the internet.

  • Deal with the public relations requirements following an incident that concerns internet breaches.

  • Have a fund or pot of money to deal with the legal and technical costs of dealing with major incidents.

  • Deal with issues of privacy and data protection following the online theft of private information.

  • Gain other benefits that arise from having an insurance policy including education and sensitization to risks.

Why Is the Government Involved in the Cybersecurity Insurance Industry?

The government has decided to get involved in the cybersecurity insurance industry in order to protect the wider assets of the society. It does not wish to see companies collapsing because they are unable to meet their obligations after an internet-based crisis. Likewise, the government does not want to be forced to step in with handouts in order to support those industries that do not have sufficient coverage to meet their legal and moral obligations to their customers. That is why this sector is gaining in prominence and attention.

Sources:

  • https://www.dhs.gov/cybersecurity-insurance