You will suffer from a cyber incident.

That's the message insurance providers should relay to current and prospective clients. Whether that incident involves malware, a phishing strike, a breached system, a ransomware infection, a lost or stolen laptop, or a distributed denial-of-service attack, all organizations will at some point suffer the direct or indirect consequences of a cyber incident. Gone are the days when providers and insureds could focus solely on preventing incidents. We must now take steps to prepare for when insureds do get hit.

Any organization is fair game

I'm being a realist, not an alarmist. Hackers, crypto-extortionists and just plain troublemakers are now targeting vulnerable companies regardless of their industry, not just data-rich banks and retailers. In fact, the new generation of cyber criminals is spreading its lures so widely that any kind of organization is liable to bite. Just look at the recent headlines:

• Healthcare: United Kingdom's National Health Service was one of the organizations hit hard by WannaCry in May, forcing many hospitals within the country's healthcare system to divert or postpone operations and procedures.

• Elections: A high-ranking official of the Department of Homeland Security told the U.S. Senate Intelligence Committee in June that election mechanisms in 21 states were targeted in cyber incidents during the 2016 presidential election.

• Transportation: The Danish transport and logistics conglomerate Maersk revealed in August that the Petya ransomware let loose in June cost the company some $300 million in lost revenue. Other enterprises victimized by Petya include advertising shop WPP, food company Mondelez, legal outfit DLA Piper, French construction materials corporation Saint-Gobain, and Russian steel and oil firms Evraz and Rosneft.

• Critical infrastructure: Reports emerged this June that late last year unknown hackers used malware to shut down an electric transmission station in Kiev, the capital city of Ukraine. In the same reports, cyber security experts were quoted as saying that the malware, known alternatively as Industroyer, CrashOverride or Electrum, is a threat not just to Ukrainian power grids. Any system run or monitored by automated controls (in other words, almost all the systems that make up critical infrastructure in the United States) is also vulnerable.

Disconnect between awareness and action

Expect more types of organizations to bite the cyber hook in the months to come. Many of them will be victimized through connected devices. The Internet of Things will vastly increase the number of points at which hackers, crypto-extortionists and other cyber criminals can access corporate digital systems and, just as important for insurers, expand the scope and complexity of risk. Pretty much everyone and everything will soon be connected to the internet — personal things such as the systems that heat homes, monitor babies and control medical devices; and public items such as security cameras, transportation networks and power plants. The analyst firm Gartner says that 26 billion connected devices will be in existence by 2020.

Owners and operators of many businesses and organizations are slowly starting to grasp the extent of the threat. Allied Market Research forecasts the global market for cyber insurance will rise from $3 billion today to $14 billion by 2022. Yet many organizations are still not getting the message.