In 2014, insurance companies reaped $2 billion in policy premiums from U.S. companies seeking protection from potentially vast losses due to cyber attacks like those that have hit Target, Sony, and other big firms. By the end of the decade, the U.S. market for cyber insurance could burgeon to $7.5 million, analysts say.
But insurers could be writing more policies, and larger ones, right now. Why aren’t they?
Insurance firms themselves are putting some brakes on the cyber insurance business at this point, because they’re as scared of mega-losses as their potential clients are, says Mark Weatherford, chief cybersecurity strategist at Mountain View, CA-based security tech firm vArmour. Insurers are granting cyber insurance policies selectively, and limiting the amounts that policyholders can recover if they make claims after being hacked.
When insurers do sell cyber policies, they want to know what security software and other measures their potential customers have in place before they set a rate for premiums, says Weatherford, a former cybersecurity deputy with the Department of Homeland Security, and a former top security official for the states of California and Colorado.
“Very few people are able to buy as much insurance as they want,” Weatherford says.
Businesses are more likely to obtain cyber insurance policies if they can show they have robust cybersecurity defenses in place, Weatherford says. They may also qualify for lower premiums, he says.
The current precautions from insurance underwriters, while restricting their own market, could turn into a significant stimulus for the much larger cybersecurity industry, Weatherford said at the big RSA conference this month, where cyber insurance was a running theme among the hundreds of sessions on cybersecurity. Company negotiations for cyber insurance policies could become an influential catalyst driving total business spending on products that fend off hackers, clean up data networks after a cyber attack, or handle other headaches that flow from a digital break-in.
In September, business data firm Gartner estimated worldwide spending on cybersecurity in 2015 at $75.4 billion, an increase of almost 4.7 percent over 2014. But hackers are constantly finding new inroads into the data networks of retailers, banks, healthcare businesses, government agencies, and other targets.
Top executives have looked at insurance as a possible way to offload some of their cyber risk—-perhaps doubting they can make their companies absolutely bulletproof to hackers by buying more fortifications from an ever-expanding array of different cybersecurity firms.
But companies need strong cybersecurity systems as well as cyber insurance, Weatherford says.
Hackers are imposing this double expense on businesses of all kinds and sizes, not just on major enterprises. Most companies these days are connected to the Internet, whether they sell products online, store data in Web-based servers, keep digital records on their employees, advertise and gather data from customers via social media, or offer mobile apps.
What’s more, companies share data with a range of third parties, such as suppliers, which have their own vulnerabilities to cyber invaders. The Target data breach began in late 2013 when hackers tunneled into the big retailer’s networks after piercing the defenses of its heating, ventilation and air conditioning (HVAC) vendor, according to a report by the Insurance Information Institute.
A cyber attack can set off a rolling disaster spanning years and triggering costs for investigation, data recovery, notification to people whose private data has been captured, monitoring of victims’ accounts for identity theft, interruption of business service, loss of reputation, regulatory fines, lawsuits, and more. The security firm McAfee estimated that cyber crime costs the global economy $445 billion a year.
Insurers quail at the potential losses they could face from cyberattacks on policyholders by sophisticated criminal groups, industrial spies, hackers with political agendas, and even nation-states. They even fear a Cybergeddon or “cyber-hurricane”—-a cascading systemic threat that begins with contagious malware or a Web data storage company breach that would affect not just one client, but also thousands of companies that would file insurance claims at the same time.
Global spending on cybersecurity products and services has been rising, spurred not only by high-profile hacks and the increasing craftiness of their tactics, but also by legislation that aims to protect the critical infrastructure of nations, the intellectual property that fuels national economies, and the privacy of citizens.
But in general, companies are not spending on cybersecurity in proportion to their risk, cybersecurity analysts say. PricewaterhouseCoopers concluded that cybersecurity expenditures have increased only modestly among large companies as cyberattacks proliferated and the related financial costs rose, while cybersecurity spending among smaller companies declined.
One of the reasons why companies may limit spending on cybersecurity measures is cost. Chief information security officers can find it difficult to justify the expense to company board members, because it’s hard to put a number on the financial risks related to a breach, Weatherford says.
But the cost of cyber insurance may help security executives demonstrate a return on investment for greater expenditures on cybersecurity products, Weatherford says. Cyber insurance companies may lower premiums when a company’s security measures are stronger. Thus, cyber insurance could become
