Cyber crimes have been dominating our politics, our finances and our national security.
Not a day goes by without news of another cyber attack, hacking scheme or massive data breach. They range in scale from simple identity theft of credit card numbers or online passwords to the recent WannaCry attack by North Korean hackers that disrupted computer systems in English hospitals, Chinese universities and German railways.
According to the Identity Theft Resource Center, U.S. companies and government agencies suffered a record 1,093 data breaches last year, a 40% increase from 2015.
The CEO of IBM Corp. has ominously identified cyber crime as "the greatest threat to every profession, every industry, every company in the world," while the CEO of Lloyd's estimated that cyber attacks cost businesses as much as $400 billion per year. Meanwhile, the new enforcement directors at the U.S. Securities and Exchange Commission recently warned that hacking crimes are the great threats to our financial markets. Even President Donald Trump has acknowledged cyber theft as "the fastest growing crime in the United States."
Obstacles facing insurers & consumers
How can companies and consumers protect themselves and manage this increasing threat? Insurance has traditionally been a principal tool for mitigating risk. Yet, while worldwide spending on cyber security products rose to a record $73.7 billion in 2016, only 29% of U.S. businesses have purchased cyber insurance.
Moreover, cyber insurance accounted for only a small fraction — between $1.5 billion to $3 billion — of the $505.8 billion generated in premiums by U.S. insurers. The reasons behind the struggling cyber insurance market are myriad and traceable to obstacles facing both insurers and consumers. A recent report by the Deloitte Center for Financial Services attempted to identify the barriers affecting growth in this promising line of insurance.
From the insurers' standpoint, the lack of historical data on cyber losses significantly inhibits their ability to build predictive models and properly assess cyber risk. Simply put, cyber insurance has not been sold for long enough to develop suitable market trends.
Vast majority of cyber crimes go unreported
The U.S. government does not maintain a centralized database cataloging cyber attacks. Moreover, because of the sensitive nature of cyber crimes, the vast majority go unreported. With insufficient data, insurers are loath to offer comprehensive coverage.
In addition, cyber attacks continue to evolve in scope and sophistication. Like terrorism, cyber attacks can occur at any time, any place, and to anyone. With an unpredictable and changing underlying exposure, insurers cannot anticipate and mitigate against these cyber risks.
Because of these obstacles confronting insurers, consumers face an uneven and expensive market for cyber insurance products. Insurers offer a patchwork of various coverages, often with minimal limits and nonstandardized language. Moreover, many companies erroneously assume that their general or professional liability policies cover cyber risks. Errors and omissions policies, however, typically do not cover cyber thefts and hacking schemes that trick employees into issuing payments or divulging confidential and proprietary information.
While commercial crime policies may cover the theft itself, they do not account for other cyber-related expenses like forensics, credit monitoring, crisis management, and reputational risks. Yet, standalone cyber policies lack standardized language within the industry. Differing terminology from insurer to insurer inhibits a buyer's ability to compare coverage and pricing. This also affects claims management and coverage disputes, as courts have not been able to interpret and enforce uniform cyber insurance provisions to provide clarity to both insurers and insureds.
Steps to wide-ranging coverage
Despite these hurdles to a thriving cyber insurance market, Deloitte offered several concrete steps to facilitate access to wide-ranging coverage that is both simple and affordable. As frequent targets of hackers, insurers can draw on their own cybersecurity experiences to develop more accurate predictive models.
Following the lead of U.S. intelligence agencies, insurers could also partner with IT professionals and former hackers in order to understand the scope and nature of cyber losses. Alternatively, insurers could issue more specialized cyber products tailored to specific types of exposure such as data breaches or specific areas of technology in order to better assess their risks on a smaller, more manageable scale. Furthermore, insurers could provide all-inclusive cyber risk management services and post-loss recovery support with their insurance products. This will benefit consumers and businesses by helping prevent cyber incidents from occurring and ultimately lowering premiums, while also decreasing loss frequency for insurers and bolstering account retention.
In the next decade, the proliferation of driverless cars and ride-sharing will likely hurt the insurance industry's most profitable line of business, auto coverage. Moreover, automation and the changing nature of the nation's labor force will inevitably affect another large line, workers' compensation. Accordingly, cyber insurance is one of the few promising areas for long-term growth.
With an ever-increasing spotlight on cyber crimes and hacking, consumer interest in insurance products to protect against those risks will only intensify. If the insurance industry does not become a more reliable provider of comprehensive and affordable cyber coverage, insurers will be left behind as businesses seek alternative methods of managing risk.
Michael D. Ford is a litigation attorney in the Miami office of Hinshaw & Culbertson. He represents insurers nationally and focuses on resolving and litigating complex coverage disputes and bad faith matters. Contact him at firstname.lastname@example.org. Opinions expressed are the author's own.
Originally published on Daily Business Review. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.