Cyber Insurance: A Guide For Policymakers by BPC

Washington, D.C. – The market for cyber insurance, a product that did not even exist before the mid-1990s, is booming.

A new report from the Bipartisan Policy Center’s insurance task force, Cyber Insurance: A Guide for Policymakers, looks at the need to create a well-functioning market for cyber insurance and the obstacles that must be overcome.

The recent and anticipated growth in the cyber insurance market is due, in large part, to the growth in cyber attacks, which carry a significant cost.  But it has been difficult for insurers to assess how much risk they are insuring against from these attacks.

Obstacles to the further development of the cyber insurance market include improving the collection and sharing of high-quality data on cyber incidents, the potential for catastrophic losses that could result from attacks on whole sectors of the economy, and the difficulty of protecting against fast-changing hacking technology. Even companies that know they need cyber insurance are not always clear on how much coverage they need or are getting.

“In general, the cyber insurance market would benefit from greater standardization, such as of terminology, policy language, and best practices for cyber hygiene,” the report said.

Cyber Insurance: A Guide For Policymakers

The market for cyber insurance, a product that did not even exist before the mid-1990s, is booming. According to the Insurance Information Institute, the U.S. cyber insurance market generated about $2 billion in premiums in 2014. Some experts estimate that premiums will increase to $7.5 billion by 2020.1 High-profile hacks on confidential customer data and prominent companies—like Sony, Target, Apple, multiple large banks, as well as the Department of Defense and U.S. Office of Personnel Management—have raised concerns about the integrity of the personal data entrusted to firms and government agencies. These cyber incidents also raise alarms among policymakers and regulators, who understand that the attacks threaten economic activity, financial markets, and U.S. national security.

In response to these attacks, companies are upgrading their systems and purchasing cyber insurance protection. Government interest is also driving the growth of the market. Nearly all states, for example, now require companies to notify customers of cyber breaches. Cyber insurance is also growing globally, as the European Union is expected to implement cybersecurity rules in the near future. Another dynamic increasing the demand for cyber insurance is the growing realization among directors and officers of companies that they could be held personally liable for cyber attacks.

In this issue brief, the Bipartisan Policy Center’s insurance task force starts with the premise that a well-functioning market for cyber insurance, one that offers a robust range of products that meet the needs of consumers in a competitive environment, would benefit consumers, businesses, and national security. Reaching that goal will require overcoming some difficult obstacles. This paper provides a guide to policymakers on how best to address these obstacles and facilitate a well-functioning cyber insurance market in the United States.

Background

The recent and anticipated growth in the cyber insurance market is due, in large part, to the growth in cyber attacks. In 2014, there were 783 reported data breaches in the United States, and those breaches exposed 85.6 million records.2 There were likely many more breaches that went unreported. These attacks carry a significant cost. One report estimated the annual cost of cybercrime to the global economy is between $375 billion and $575 billion per year.

One of the chief obstacles in the further development of the cyber insurance market is defining what constitutes cyber insurance. Among the elements a cyber insurance protection policy can include are:

  • Liability for a security or privacy breach, such as when confidential customer information is compromised
  • Costs of notifying customers of a breach and providing them support services
  • Losses from business interruption following an attack
  • Costs for restoring or replacing lost or damaged data
  • Liability for directors and officers of a company targeted by an attack
  • Costs associated with settling cyber extortion threats

Given these various risks, cyber insurance policies are often customized for individual firms rather than sold as standard policies. Also, since the market is relatively young, policy terms have not been standardized through judicial interpretations.

Obstacles to a Healthy Cyber Insurance Market

The central obstacle to a robust, well-functioning cyber insurance market is the inability of both insurers and insureds to know exactly how much risk is involved in cyber attacks. The difficulty in underwriting cyber insurance means that the supply and demand for insurance coverage may be significantly mismatched to actual risk. If insurers underestimate the risk that they are insuring, they may face heavy losses for one or more insurable events. On the other hand, if they overestimate the risk they are insuring, they may not offer enough insurance to meet demand or offer it at excessive premiums that deter potential customers from purchasing the coverage they need to mitigate risk.

A number of factors contribute to the difficulty in underwriting cyber insurance.

Lack of Data

At a basic level, there is a lack of high-quality data about how many cyber incidents are taking place and how much damage those incidents are causing to firms and the economy as a whole. As noted above, there are some general estimates of the number and cost of breaches, but there is no established mechanism for companies and government agencies to share data with each other. Last year, Congress did enact cybersecurity legislation that should help to address this gap and lead to more data sharing on certain kinds of cyber incidents once the law is implemented.

Yet, the data challenge goes beyond tracking attacks and sharing information. Some companies that are hacked do not realize it and so never report those attacks. Other companies prefer to keep knowledge of attacks private, fearing reputational damage. Still others realize that they were attacked but are not able to fully assess the damage done. In short, the assessments being made today about the scope and significance of cyber risk are educated guesswork.

Difficulties in Threat Modeling

The evolving nature of cyber threats also makes it difficult to assess underwriting risk. Good data about past events that triggered claims gives insurers the opportunity to model the likelihood of future losses. But even if the ability to understand and model past cyber threats improves materially, there will still be uncertainty in assessing future risk because the nature of cyber threats can change so rapidly. A foreign government or activist hacker group could announce it had both a new technology for which there was no defense and a plan to undermine major U.S. corporations. In turn, these events could destabilize financial markets and have a disruptive impact on both insurers and the corporations that may be subject to attacks.

Problems do not arise just from external sources. Many cyber incidents can be traced to employees who either knowingly or unwittingly opened a window to allow an attack. A company laptop that is inadvertently left at an airport can become a tool for hackers. Each time a firm hires a new employee with access to critical systems, its risk profile immediately changes. Managing these internal risks will remain a challenge for companies and insurers.

The effectiveness of modeling will depend on the stability and predictability of the technology used for cyber attacks. If attacks retain a significant degree of unpredictability, then pricing

1, 2  - View Full Page