Consumers at home during the height of the pandemic may have looked around their homes and noticed just how many devices are connected to the internet. It’s more than just the obvious, like computers, smartphones and tablets. Now a range of items is connected via the Internet of Things (IoT), like thermostats, home security systems and appliances.
Every single one of these items represents potential vulnerability of some sort of personal data, and that has led to an increase in the business of insurance covering cybersecurity losses. On a commercial level, companies have become more conscious of hacking with a variety of motivations – business disruption, corporate espionage. On a personal level, people have cyber vulnerabilities that can be insured, such as theft of personal information, whether for monetary gain or cyberbullying. Policies can provide remedies such as coverage for mental health treatment, public relations and legal assistance.
Swiss Re projected that the market for commercial cybersecurity insurance would reach $10 billion by 2020 and the market for personal cybersecurity insurance could reach $3 billion by 2025. But it does face pressure. A range of events, from the proliferation of devices during the pandemic, to state-sponsored cyberattacks, have put pressure on the cybersecurity insurance market. According to a Global Markets Insight Report for Q1 2022 by Aon, comparing the market dynamics for several types of coverage, cybersecurity insurance has the toughest prospects in many of its features, including pricing, capacity, underwriting, limits, deductibles and coverages.
“The increased claims activity has caused certain carriers to pull completely out of the marketplace,” says Rachel Jenkins, customer success manager at FounderShield, a New York-based company that specializes in brokering insurance coverage for start-up companies. “It caused certain carriers to pull out of certain industries. I've had situations where clients have had their limits slashed in half and half of the coverage is removed and quoted at a higher premium.”
When claims activity increases, Jenkins says, insurers may react aggressively around the characteristics of their cybersecurity policies, even “over-correcting.” However, others in the cybersecurity insurance business see the rising prices and other pressures as bringing the market to where it should be.
“Cyber premiums are actually getting right-sized after many years of a softer market,” says Jack Kudale, founder and CEO of Cowbell Cyber, a cybersecurity insurance solutions provider. “You’re not going to see cyber premiums go down over the next year, or two, or ever. Now we’re going through a hard market cycle.”
“In cybersecurity insurance, we are seeing more and more activity,” says Andrew Palmer, CIO of Global Retail Markets at Liberty Mutual. “The activity is increasing more year over year than I have seen before. That’s going to continue to escalate.”
Kudale of Cowbell Cyber says four out of every five small businesses do not have cybersecurity insurance. His company, founded in January 2019, serves small to mid-size companies by assessing cybersecurity risks, modeling that risk, pricing it for insurance coverage, and handling claims. Cowbell Cyber uses AI, actuarial models and various data sources to support these functions. The company also recently introduced a cyber risk heat map for its agency, broker, insurance and underwriting clients to continuously assess their cybersecurity risks.
The company currently handles coverage totaling about $200 million in premiums, but Kudale expects that to grow sharply, in keeping with what Swiss Re and others are projecting. “We believe over the next five years that we can build a billion dollars in premiums,” he says. In addition, Kudale believes the overall market for cybersecurity insurance could reach $100 billion by the end of this decade.
Cybersecurity insurance is split between commercial and personal policies. Logically, commercial policies will represent more of the projected growth, in percentage and in value of premiums. While some large, established insurance companies have pulled out of this field or haven’t entered it, others do have retail, individual level offerings.
In 2016, Chubb began including personal cybersecurity protection options in its personal policies. About one year ago, Chubb also launched Blink, a personal cybersecurity insurance offering marketed to younger consumers. Chubb’s cybersecurity coverage includes losses caused by cyber attacks, ransomware attacks, cyberbullying and breaches of privacy or security, as well as damages to IoT-connected devices in the home (which could make it uninhabitable), according to Carolyn Boris, vice president of product development at Chubb.
“You can see more targeted loss prevention efforts in place,” she says. “There's just been a greater awareness in the agent and broker community about the risks involved and the need for the insurance.”
Technology advances created more risks. Market research firm Future Market Insights (FMI) identifies “an alarming increase in cybercrime and cyber attacks.” Laura Bennett, senior vice President, e-consumer North America at Chubb, says, “Risks that have appeared that have driven us to then introduce the personal line products.”
On the other hand, technology makes it possible for insurers to better evaluate claims, according to Boris at Chubb. “Our claims department will partner with experts – digital forensic experts if needed – to understand the actual loss,” she says. Information gained from handling claims can be used to prevent future losses. “Our claims team will determine how a cyber attack occurred or how a bad actor got into a system. After a claim occurs, it's not all about paying out money for the loss. It is also about mitigating and going forward.”
Technology also can help determine what coverages will be, according to Jenkins of FounderShield. “Innovators are finding niche areas where they can take an analytical approach to an insurance product and apply that analytical, actuarial analysis to a specific product, streamlining it,” she says.
Commercial level cybersecurity insurance coverage for business is active and growing equally as personal individual coverage. In recent months, companies have been investing more funds in cybersecurity coverage ventures. In September, Microsoft partnered with At-Bay, a cyber insurance company specializing in covering digital risk for businesses. In January, IBM reached a €65 million, 3-year agreement with the Asian Investment Bank to accelerate a digital transformation of the bank that includes cyber resilience and fraud detection capabilities.
Also, cybersecurity coverage is being seen as a necessary part of errors and omissions (E&O) policies for companies, says Cowbell’s Kudale. Companies, especially small and mid-size ones are learning how essential cybersecurity coverage can be, especially against ransomware demands. “The average ransom demand of $200,000 – for a small business on a Friday night, that guarantees they won’t be able to open their doors on Monday morning unless they have cybersecurity insurance,” he says.
Aside from ransomware attacks, cybersecurity insurance for commercial clients can provide several other relief measures, as Tim Francis, enterprise cyber lead at Travelers, explains. “That can include, but is not limited to conducting a forensic investigation; recovering the compromised data; repairing damaged computer systems; litigation and regulatory defense expenses; notifying affected customers; and replacing income lost as a result of a cyber event,” he says.
Travelers has offered cybersecurity coverage for several years, and policies also cover cyber crimes such as computer fraud, funds transfer fraud and social engineering fraud, according to Francis.
Depending on the size of a company seeking commercial cybersecurity coverage, policies can be written to include or exclude several types of cyber-related losses. This can get complicated for small businesses in particular. “At the very least, if you can't afford all the fancy different gate locks that everybody has, if you have a plan on how to respond to different situations, you will do better than a lot of companies that have nothing,” says Jenkins of FounderShield.