The cyber insurance market is rapidly expanding, according to new research, but premium increases, coverage changes, and other market shifts are more dramatic – and more important for risk managers and third party risk management (TPRM) teams to address.
“Negotiating a cyber insurance policy to include and exclude assets is complex,” notes Shared Assessments Senior Advisor Charlie Miller. Lengthy policies need to be understood, especially as more cyber insurance companies change coverage limitations in response to substantial loss increases related to the ongoing surge of ransomware attacks and other cybersecurity breaches. Understanding the requirements for supporting claim submission documentation for reimbursement is also essential, Miller points out.
While TPRM leaders are rarely the primary buyer of cyber insurance policies, their input on third party risks (and how those risks can be quantified) will help ensure that the organizational leaders shopping for cyber insurance – often a risk officer, the chief legal counsel, and/or the CFO – make the right selection. To provide effective guidance, TPRM leaders and groups should get a feel for cyber insurance policies and the unique claims process that cyberattacks of a large-enough magnitude set in motion.
How much is the global cyber insurance market worth?
The global cyber insurance market reached $6.15 billion (USD) in 2020, and the market is projected to grow to $36.85 billion in 2028, boasting an annual growth rate of 25.3% during the next six years according to Fortune Business Insights.
In October, a National Association of Insurance Commissioners (NAIC) committee published a report on the cyber insurance market that contains a slightly different 2020 cyber insurance market size figure (as measured by written premiums) and an even higher growth rate (29.1% from 2019 to 2020). These figures show that more companies are buying more cyber insurance.
“Today, we have home and auto insurance to protect us from unexpected costs, like those caused by fire or theft, and I see cyber insurance as a comparable need for businesses,” notes Shared Assessments Senior Advisor Nasser Fattah.
Actions After A Cyberattack
Of course, cyberattacks differ from car accidents, house fires, and break-ins. In many cases, organizations that have suffered a cybersecurity breach at the hands of bad actors don’t know the total extent of their loss, certainly when they first discover an attack has occurred.
“Businesses not only need to recover costs and expenses due to cyberattacks,” Nasser explains, “they also need to be able to tap subject matter experts, provided by the insurance carrier, who can quickly jump in after an attack to assist with forensics, legal matters and handling the media among other activities.”
After a cyberattack occurs, IT, information security, enterprise risk management, and, in many cases, third party risk management teams should expect to log long hours working through incident response plans, Fattah notes. “There will be a need for external support, via your insurance carrier, to assist with the aftermath, while your IT and cyber teams remain focused on keeping the business up and running.”
Risk quantification marks another aspect of cyber insurance that differs from traditional lines. Thanks to decades and decades of loss history, most buyers and brokers are not baffled when trying to determine the proper amount of property or auto insurance coverage to purchase. Cyber insurance is trickier on this count.
“The problem that most companies face is in determining how much cyber insurance they need,” writes Tom Hansmeyer in a Harvard Business Review article that looks closely at structural challenges the market confronts. “But, it’s difficult for insurers to understand demand when the buyers themselves are still trying to figure out both their exposure and their buying appetites. The years where cyber insurance enjoyed significant growth weren’t enough to establish a reliable sense of how much protection companies should actually buy.”
This explains why Miller reports seeing more risk quantification and scenario-based exercises “to better understand and quantifiably measure the exposure to various cyber-attacks.” He notes that these approaches “aim to assist organizations in understanding their exposure to third party and supply chain risks. Regulators are increasingly demanding that organizations use risk quantification techniques.”
Cyber Insurance Risk Framework
Miller points to the New York Department of Financial Services’ (NYDFS) February 2021 guidelines indicating that cyber insurers should (at a minimum):
- Establish a Formal Cyber Insurance Risk Strategy
- Manage and Eliminate Exposure to Silent Cyber Insurance Risk
- Evaluate Systemic Risk
- Rigorously Measure Insured Risk
- Educate Insureds and Insurance Producers
- Obtain Cybersecurity Expertise
- Require Notice to Law Enforcement
Other risk quantification approaches such as the FAIR model for risk quantification are also gaining traction, Miller adds. “Both techniques are being used to better inform, prioritize and align resources at the board and executive management for addressing these risks. None of these techniques simple!”
In other words, organizational risk management groups, information security functions, and third party risk management teams have some difficult risk quantification work ahead of them. The good news is that this work will help soften the blow of cyberattacks targeting companies and their third party partners.