The Strategist

Does cyber insurance market have a future?

11/28/2017 - 14:00

According to Allied Market Research, by 2022 the global market for cyber risks insurance will reach $ 14 billion. At that, Allianz reports that it will grow to $ 20 billion by 2025. A study from Fitch says that in 2016, the cyber risks insurance market in the US increased by 35%, up to $ 1.35 billion.

Yet, the premiums for cyber risks are a drop in the bucket for the general insurance market. In 2015, US insurers collected $ 1.5-3 billion of such premiums, Deloitte’s study in February said (the company refers to the ratings of regulators and rating agencies). And the total amount of premiums collected in the US in 2015 was $ 505.8 billion. In October 2016, only 29% of US companies had a policy of cyber risk insurance.

The surge in demand for this kind of insurance is noted every time a loud hacker attack occurs, say experts, interviewed by the WSJ. So it was, for example, after the attack on Yahoo's servers in 2014, when hackers cracked 500 million passwords of users; cyber-attacks on the National Committee of the Democratic Party of the United States in June 2016 and the hacking of the IT system of the Equifax credit history bureau, which could have thrown data of 300 million people in the hands of intruders.

In 2017, hundreds of thousands of computers around the world were hit by extortion programs such as Wannacry and Petya. One of the victims was the Danish industrial conglomerate Moller-Maersk, which owns the world's largest container shipping business. Its losses then amounted to $ 200-300 million, writes WSJ. Insurance company AIG says that Wannacry’s attacks raised demand for cyber risks insurance grew in Asia by 87%, and globally - by 38%, according to FT.

Tryg, the largest Danish insurance company, expects that 90% of its customers will be insured against cyber-attacks in five years. "There are no corporate clients who do not insure buildings and cars," said Tryg’s CEO Morten Hübbe. "I think in a few years it will be just as obvious that you need to insure cyber risks."

This insurance market could grow faster since potential demand is large enough had it not been for its immaturity. Insurers do not understand what exactly they are selling, and their customers - what exactly they are buying. "There are so many new insurance products that have not been tested yet," said Tim Francis, vice president of travel company Travelers, to WSJ, "that one day we will start to receipt insurance claims, and then we will see whether the words that we used in policies are exactly what we had in mind. " But often it is necessary to deal with this with lawyers, he adds.

"What will happen if tomorrow some web hosting will undergo a DDoS attack or will it be hacked, and the companies that use it will not be able to serve their customers? How do we know that buyers of cyber risk insurance policies do not store everything in one basket - cloud service, web hosting, mail server, SaaS (software as a service)? "- notes one of the insurers involved in Deloitte’s study.

Several Deloitte respondents compared the risks associated with cyberattacks with the risks of terrorist attacks: in both cases, a group of people intentionally tries to inflict damage, such attacks can occur anytime, anywhere, and anyone can suffer from them. Because of fear of receiving huge losses, many insurance and reinsurance companies ceased to insure the risks associated with terrorism after September 11, 2001. "In the end, it all boils down to the fact that we do not understand what risks we are taking on ourselves," another insurer told Deloitte. "We do not have enough information about where the source of risk is, so that we can cut it."

Now, there is a real arms race in the cyber sector and there are many opportunities to commit a large-scale cyber-attack in dozens of countries, says Bryce Boland, IT director of FireEye company, dealing with security issues. "Insurance policies usually do not cover military operations. And this means that the definition of cyber-attacks is extremely important: who knows who is behind them? "- he says.

But even if there is a cyber risk insurance policy, it is necessarily right that it will cover all the losses in case of a break-in. Moreover, for example, reputational damage may not immediately manifest itself. In June 2014, the US-based chain of restaurants, China Bistro, paying $ 134,000 a year for this service, learned that hackers had stolen credit card numbers from 60,000 customers. The insurer paid China Bistro $ 1.7 million in compensation for the investigation and legal costs, but the network itself had to pay $ 1.9 million to the card processing company, writes WSJ.