Expert insights from the industry’s top leaders

The State of the Cyber Threat and Solution Market



ybersecurity is an issue of vital importance in today’s digital world. As more people and more devices become connected, the risk of malware and data theft grows. Barely a day passes without a headline about a high-profile data breach or ransomware incident. And while no industry is immune to the increased level of cyber risk, the trend is set to have a major impact on the property and casualty market.

Soaring cyber threats are creating a greater demand for cyber insurance. Lloyd’s of London saw a 50 percent increase in companies and individuals take out policies against cyberattacks in 2016, according to the Financial Times. And industry analysts expect annual gross cyber insurance premiums to continue growing: PwC suggests they’ll hit $7.5 billion by 2020, up from the current $2.5 billion. But it is still an immature market, with many questions to be answered.

To understand cyber's growing popularity, carriers, brokers and their clients must understand the depth and seriousness of the threat.

50 percent more companies and individuals took out policies against cyberattacks in 2016 than 2015.”

The cyber threat is growing

The average data breach costs $3.62 million, according to IBM’s 2017 Cost of Data Breach Study. The impact on any afflicted business can be catastrophic, but particularly so when businesses lose sensitive, personal customer data. Beyond the time and expense involved in investigating a breach, repairing defenses and bringing services back on track, an organization will have to contend with punitive regulatory fines, legal liability and reputational damage.

As a result, many companies are spending money to protect their data. This can often be for compliance, but there are other categories of cyber risk. DDoS (distributed denials of service), for example, are designed to flood servers with requests in an attempt to crash the system. This kind of threat is all about disruption, and it’s alarmingly easy for would-be attackers to carry out.

Ransomware is another type of cyber threat that’s gained in prominence. Here, victims’ data are encrypted, with a ransom payment required to obtain an encryption key and regain access. This is essentially an extortion racket for the digital age, but it’s difficult to police because criminals can easily launch sophisticated cyber-attacks across borders.

$3.62 million: The cost of the average data breach.”

The internal threat

The unfortunate truth about cybersecurity is that organizations can throw enormous budgets at beefing up their frontline defenses and implementing security software, only for their employees to hand away the keys. Cybercriminals target the path of least resistance — and it is much easier and cheaper to fool a person than it is to hack into a properly protected system.

Education and training is improving, but many employees can still be fooled by a personally addressed email or innocuouslooking link. When JPMorgan increased its cybersecurity spending after a data theft, for example, they tested staff with a fake phishing email a few weeks later – and executives were horrified to find that 20 percent of employees clicked on it.

More resources must be committed to educating employees about safe practices and instilling a sense of vigilance in the workforce. In the interim, though, attacks and breaches are inevitable. That’s why businesses must be prepared for the worst – which means having a proper backup procedure with a clear remediation plan. It also means investing in cyber insurance.

Early evolution of cyber insurance

Cyber insurance first began by covering classic data breach situations. But as cyber risks have evolved, so, too, have the products. Sabotage by disgruntled ex-employees, attacks intended to disrupt rather than steal, the specter of ransomware – all these scenarios should be covered. Targeted manipulations can also make it difficult to assign liability and fault.

It’s far from straightforward to calculate the losses from a cyberattack. Business disruption and lost income, incident response, investigation and regulatory proceedings must all be considered. Accurately linking cyber risks to potential losses is still a new idea for many organizations, and, while helpful, it can require a deep knowledge of myriad technologies.

Cybercriminals target the path of least resistance. It is much easier and cheaper to fool a person than it is to hack into a properly protected system.”

The physical losses

The perception that cyber threats are merely “virtual” is a persistent one — the files stolen are digital, after all, and the systems crashed are online. But cyber risks can cause great physical damage to both persons and property. The first thought may be remote disconnection of systems for monitoring flooding or fire — but what of the potential impact on our increasingly connected devices?

In 2016, there were 6.4 billion connected items in use worldwide, and, according to Gartner, that number is predicted to grow to 8.4 billion this year. The implications are wide – a smart fridge turns off, and several tons of food are spoiled; a smart car is hacked, the driver is distracted and causes a crash. It’s important to understand the physical exposures and deal with them in the emerging cyber insurance field — or else amend traditional property and casualty policies to incorporate these new risks.

Where does responsibility lie?

Another thorny issue that must be tackled is the potential liability of third parties. Most modern businesses now employ several cloud-based services from outside vendors. New regulations drive greater caution and more oversight to where data reside, but it’s still a blind spot for many. Organizations must ensure that third-party partners carry robust cyber insurance, or extend their own coverage to these parties.

The far-reaching consequences of cyberattacks requires a solid insurance policy, but there needs to be some flexibility in products. Businesses are still learning precisely what needs to be covered — and as the line between cyberspace and the physical world blurs, it may be more natural for cyber insurance to fall under the traditional property and casualty umbrella, rather than a specialized offshoot.

There’s clearly still much work to do in the cybersecurity space, but what’s certain is that all companies should include cyber insurance as part of their recovery plans. By recognizing the scope of the cyber threat, cyber insurance will be adopted more and more over the next few years — and will spur the development of increasingly sophisticated policies to meet the needs of a range of different organizations.