Despite the amount of news coverage devoted to cyber-crime and cyber-attacks, the fact is that most cyber risks are not insured. While this represents a significant exposure for any company doing business on the Internet, it also represents a major opportunity for insurers.
As noted in a 2015 report by the Insurance Institute of Canada, however, there are a number of barriers standing in the way of insurers seeking to write cyber coverage. One of the biggest obstacles is the lack of comprehensive information about how likely cyber-attacks are to occur, and the possible consequences – in terms of monetary and reputational damage – of any single attack.
The report notes that there is no such thing as complete protection from cyber-attacks. Rather, companies have been working to reduce the likelihood and the potential impact of such attacks; they then pay premiums to transfer part of the remaining risk to one or more insurers.
We are in the very early stages of the development of the cyber insurance market. Among the key elements now are for the insurance industry to work with governments – and, possibly, with cybersecurity companies – to chart the frequency and severity of attacks. Individual insurers can then begin to model the risk of any particular company or organization being attacked.
The Insurance Institute of Canada report estimates that the market for cyber insurance – as measured by premiums written – is growing by 15 to 20 per cent per year worldwide. Given the difficulty of generating premium growth in established commercial and personal lines, insurers might want to devote additional resources to modeling, testing and launching cyber-specific offerings.