On the one hand, it is caused by cardinal technological changes in the main ways of doing business. Digital technologies can significantly reduce costs, improve business efficiency and give completely new opportunities in many areas.
On the other hand, along with these positive changes, the degree of cyberthreats is also growing. In 2016, the damage to world business from cyber-attacks was estimated at USD 450 bn. (Graham, 2017), while cyber risks ranked third in importance for business (Allianz, 2017).
Cyber-risk insurance is also showing significant growth over the past few years. However, for a more accurate understanding of the prospects of this market, it is necessary to outline its main segments that are fundamentally different in terms of the nature of the risks and the level of maturity.
Policyholders of cyber-risks can be divided into the following groups:
• companies processing large amounts of personal data (telecom- and media companies, health care, education, etc.);
• critical infrastructure companies (energy, communications);
• companies whose business is based on online transactions (retail, payment systems, financial institutions);
• a combination of the above (transport companies, health care).
The main driver of the growth of cyber insurance is the segment associated with the protection of personal data. At the same time, the largest losses are observed and expected in the financial sector and critical infrastructure companies. Thus, at this stage of the development of the cyber insurance market, there is a clear imbalance between the needs of policyholders and the capabilities of the insurance market.
The reason for the apparent imbalance may be the fact that the development of an insurance market in this direction requires generation of a conscious, qualitatively and quantitatively estimated demand. If we assume the hypothesis of two differently directed reasons for the growth of the insurance market: "demand following" and "supply leading" (Outreville, 2013), without going into detailed hypothesis testing, we can attribute cyber risks market on the current stage to the first group. Therefore, the growth of cyber-risks insurance market is currently a consequence of the corresponding demand.
We can support our assumption with the example of data breach insurance in the United States.
The growth of the US cyber insurance market in 2011-2015 was due to the introduction of legislation in most states to take appropriate security measures to protect against cyber risks and report serious breaches to national authorities. This led to an increase in demand for cyber insurance products covering personal data breach.
Data leaks became better identified and recorded, which enabled analysis of the related data. Figure 1 shows a clear upward trend of identified personal data leaks and the synchronous growth of the cyber-risk insurance market.
Between 2011 and 2015, when most of states actively introduced data breach legislation, cyber-risks market demonstrated an annual growth rate of about 30%. S. Romanosky (2016), in his research gives somewhat different data on the dynamics of the detected data leaks. Figure 2 shows moderate decrease in the total number of disclosed personal data breaches.
Figure 3 shows a similar trend in respect of the average size of the claimed loss for cybersecurity policies.
After initial growth, there is a slight decrease in the amount and average severity of the reported losses.
This may indicate the positive effect of personal data breach legislation and increasing maturity of information security management processes in insured companies.
Along with the policyholders, who were actively engaged in information security of their companies, insurers also learned how to deal with the new line of business. The effect of their effort is shown by the cost dynamics in Figure 4. Insurers spent less on Crisis Services Costs, such as forensic, credit card monitoring services, notification services for victims, legal support and PR services
Thus, judging by these trends, we can talk about the growing maturity of cyber insurance market in the US. This process takes place simultaneously for both: policyholders and insurers.
Policyholders pay more attention to cybersecurity and reduce the risk of personal data breaches. This leads to a better understanding of cyber risks and necessary conditions for cyber insurance policies.
Insurance companies, for their part, gain experience in claims settlement, improve policy terms, and work out interaction with Crisis services providers.
There is also a recent trend towards increasing demand for cyber insurance among medium-sized companies and small businesses.
For European companies, the situation in the cyber insurance market before the adoption of the GDPR is quite similar to the market conditions in the US in 2011. The total volume of the cyber insurance market is estimated at about USD 135m (AON, 2017). The main policyholders are large companies with a turnover of more than USD 1bn. These are generally financial institutions, large retailers and hotel sector companies. Cover for cyber-extortion and business interruptions account for most of demand. (AON, 2017).
However, there are several significant differences from the US experience.
First, during the past 7 years the world business has faced many serious cyber-incidents, which affected the activities of many companies and made management aware of the possible consequences of such events.
Secondly, implementation of the European GDPR regulation and serious fines for its violation became known long before May 25, 2018. Consequently, the European business had enough time and incentives to prepare and ensure information security of its companies.
The third difference is that the world's leading insurers now have significant shares of both American and European markets. They are ready to apply the experience from the United States to the insurance of European companies in the field of personal data protection in accordance with GDPR.
All these prerequisites can help EU insurers to pass infant period of cyber insurance market with lower losses and less time. However, there might be some difficulties because of lower culture of cybersecurity among European companies as well as some unclarified issues regarding insurance coverage according to GDPR.
Critical infrastructure companies
Critical infrastructure enterprises frequently demand insurance coverage for cyber-risks even more than personal data operators. Such enterprises can suffer considerable material losses due to cyber incidents, and what is more dangerous, severe damage, including damage to life and health, can be caused to third parties. Despite this, only relatively small amount of such companies is currently buying cyber risks insurance policies.
Insurance is only one of the elements in building a cyber security system for enterprises. Technical and organizational measures to prevent cyberthreats should always be a top priority. However, current situation with cybercrimes prevention is far from ideal. Requirements of the NIS Information Security Directive for Operators of Essential Services (OES) and Digital Service Providers (DSP) will take effect on May 10, 2018 and according to a recent study (Honeywell, 2017), 45% out of 130 surveyed industrial enterprises do not have an information security specialist in their staff, 60% do not monitor suspicious network activity, while 53% of respondents have been a victim of cyberattacks at least once.
It is obvious that companies that are not aware of cyber threat and are not working on reduction of cyber risks are far from thinking about insurance protection for events.
If we assume the hypothesis of following demand, the demand for cyber insurance in this segment of policyholders is in the stage of formation.
In terms of demand for cyber insurance products, online services and financial institutions are in a much more advanced state than industrial enterprises. Unlike the latter, this category of policyholders suffers from insufficient supply.
Companies in this sector are most vulnerable to cyberattacks. Banks and insurance companies are vulnerable to direct material losses. Moreover, there is significant risk of cumulation. Recent examples are cyberattack targeting systems operated by Domain Name System (DNS) provider DYN on October 21, 2016, and the Amazon S3 Service Disruption on February 28, 2017. Because of these incidents, clients of both companies suffered significant losses, once again proving that it is not necessary to be the target of cyberattack to suffer from it.
In addition to cumulation, the main risk for online services is business interruption. Policyholders require insurance protection for a large amount of intangible assets, since the cost of tangible assets of online companies is relatively small.
Both circumstances significantly restrain supply of cyber insurance products for online business.
Cyber liability or data breach insurance is currently the flagship of cyber insurance. This is the most massive segment, which allows both policyholders and insurers to gain necessary experience as well as understand and assess risks. This is the first step that will allow all participants of the market to switch to other types of cyber insurance: already existing and those that might emerge in future. In view of this, implementation of the GDPR shall significantly increase insurance protection of the EU business against cyber threats.
- Graham, L. 2017. Cybercrime costs the global economy USD450 billion [online]. CNBC Cyber Security. Available at: http://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html
- Allianz Risk Barometer, 2017.
- Outreville, J. F. (2013). The Relationship between Insurance and Economic Development:85 Empirical Papers for a review of the Literature. Risk Management and Insurance Review, 16(1), 71-122.
- S. Romanosky, «Examining the costs and causes of cyber incidents» Journal of Cybersecurity, Volume 2, Issue 2, pp. 121-135, December 2016.
- Net Diligence, «2017 Cyber claims study» 2017
- AON Inpoint. Global Cyber Market Overview. Uncovering the Hidden Opportunities. June 2017.
- Honeywell. Putting Industrial Cyber Security at the Top of the CEO Agenda. December 2017.
Larisa SACHENKO, Expert