Sales of cybersecurity insurance policies are booming. Tracy Dolin, Standard & Poor’s Ratings Services analyst, estimated the market could reach $10 billion by 2025. It was only $1 billion in 2012, and it took 15 years to reach that number.
It can be difficult to get in the amounts you want, and pricing is all over the place. But, insurance is a useful tool for cyber risk management, just as it is for other forms of risk.
Cyber risk insurance appears to be helping cover costs in the most infamous data breach cases. According to the LA Times:
Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million, leaving the company $158 million in the hole — plus what it paid for cyberattack insurance.
Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.
I like the way Ty Sagalow, former chief operating officer for AIG, described the buyer psychology that’s going on right now:
Think of a massive cyberattack as an intelligent hurricane,” he said. “If it hits a house that doesn’t fall down it learns why the house didn’t fall and it changes. It is a scary thing.… Scary things sell insurance.”
Combine the fear factor with the supply chain pressure I wrote about last week, and you’ll realize more medium and small companies are being required to purchase cybersecurity policies as a prerequisite to doing business with large companies. Remember that the Target breach was reported to have originated with an HVAC contractor.
One expectation I have is that insurance companies will be able to figure out which controls actually reduce risk and then offer premium discounts for companies who implement them. This is a similar pattern to offering lower fire insurance premiums when you install an automatic sprinkler system. Or, discounts on your auto policy for daytime running lights.
Have you bought cyber risk insurance? What was it like?