Cybersecurity is a top-of-mind priority for organizations of all types. From businesses to government agencies to non-profits, leaders must consider a growing number of cyber threats, risks, and vulnerabilities. The cost of dealing with a cyber incident can be staggering, and so nearly every tech-related decision must be measured against its effect on the organization’s cyber risk profile.
For many leaders, their instinctive reaction to cyber threats is to obtain the best cybersecurity controls and systems their budget will allow, and that’s a wise move. Still, that’s not enough for many businesses. These enterprises address cyber uncertainty like any other risk, and one way to mitigate risk is to acquire insurance.
This article aims to demystify cyber insurance and examines various aspects of the cybersecurity insurance market. We’ll dive into what it is, the size of the market, and what it covers. It’s a big subject upon which volumes have been written, so here we hope to arm students, security practitioners, and business leaders with helpful information to guide their further research.
In this guide
- What is cybersecurity?
- Size of the market
- Risk, threat, vulnerability
- Role of cybersecurity insurance
- History of insurance
- What insurance covers
- Cybersecurity insurance providers
What is cybersecurity insurance?
All organizations face uncertainty or risk, and it is a risk manager’s job to guide the C-suite toward the most appropriate options for each identified hazard. There are four basic strategies or tools for mitigating risk, and insurance is one of them.
Assume and accept: To assume and accept risk can be an intended strategy or the result of making no decision at all. If the threat is minor and the consequences relatively insignificant, an organization may decide that the cost of other mitigation strategies is prohibitive, so they just accept the risk.
Avoid: To avoid cyber risk, organizations may decide to sidestep or cease certain risky activities. If, for example, a company identifies that they are at risk by allowing their employees to connect personal devices to the corporate network, they may enforce policies that prevent that activity, thus avoiding the risk.
Control: The billion-dollar security solutions market is built around the idea of controlling risk. Firewalls, scanners, and other cybersecurity products and services are all designed to help organizations control their cyber risk. Insurers are increasingly tightening underwriting requirements and specifying that their customers adopt security controls that can positively impact their exposure to cyber risk.
Transfer: An organization may decide to mitigate the consequences of a cyber attack by transferring them to another party. After willingly assuming a small amount of risk, avoiding dangerous behavior, and doing their best to control their exposure, some risk still remains. Transferring that risk to an insurance company further improves an organization’s risk profile. This is the role of cybersecurity insurance.
Insurance of any kind is simply a means of protection against financial loss. It is a form of risk management and is primarily used to hedge against the losses that remain after other mitigation strategies have been applied.
Size of the cybersecurity insurance market
Mordor Intelligence estimates that the cybersecurity insurance market was $9.29 billion in 2021, and they expect it to reach $28.25 billion by 2027. They cite the ever-growing connectivity of everything coupled with a labor shortage among already strained IT and security teams as the primary cause of the expected increase.
According to Marsh McLennan, a leading insurance broker and risk advisor, cyber insurance pricing in the US grew an average of 96 percent year-over-year in 2021. They attribute this phenomenal growth to an increase in significant losses, an expanded view of cyber risks, an increased cost of reinsurance, and a dwindling pool of available capital caused by insufficient premiums.
Understanding risk, threats, and vulnerabilities
Because cybersecurity insurance is only one of many tools that organizations can use to manage their risk profile (a prioritized inventory of their most significant risks), it is helpful to understand a few key terms and concepts used by risk managers and insurance brokers.
These fundamental notions are Risk, Threat, and Vulnerability. In the context of security and cybersecurity insurance, the relationship between these terms can be expressed as Risk = Threat x Vulnerability, or some organizations prefer Risk = Probability x Consequence.
The National Institute of Standards and Technology (NIST) defines a threat as “Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.”
In short, a threat is a bad thing that could happen.
NIST defines vulnerability as a “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”
The third term, risk, is defined by NIST as “A measure of the extent to which an entity is threatened by a potential circumstance or event [a threat caused by a vulnerability], and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”
It is fair to say that if an organization is not vulnerable to a given threat, there is no risk, and they would take no action to prevent its occurrence. Conversely, when they are highly vulnerable to a threat with severe consequences (sometimes called criticality), organizations will do everything possible to protect against that risk.
Risk drives cybersecurity decisions, including whether or not to purchase cybersecurity insurance.
The role of cybersecurity insurance
Business and government agencies spend enormous sums of money investing in cybersecurity protection measures and systems. They hire teams of security professionals to operate these systems and protect against threats. Still, some risk remains.
Regardless of how diligent an organization is, there is always a chance that a zero-day vulnerability (a vulnerability that has not previously been seen in the wild) will be exploited by a threat actor. Or an employee will fall victim to a social engineering scheme.
The risks that remain even after an organization has done everything it can to prevent and mitigate threats are called residual risks.
Instead of accepting those residual risks, many organizations choose a more pragmatic approach, similar to how they address other business threats they face. They transfer the risk to an insurance company for a fee.
Cybersecurity insurance is a critical component of an organization’s cyber risk management program, just like errors and omissions or automobile insurance are components of their business risk management program. Both are designed to improve the organization’s risk profile.
The history of cybersecurity insurance
Insurers began covering some of the losses resulting from a data breach in traditional commercial insurance policies in the early 2000s. These early policies were relatively simple and typically covered the costs of business interruption, extortion, and the loss of digital or data assets.
Spurred mainly by increased regulation and strict notification laws, organizations have expanded their cyber mitigation strategies to align more closely with how they manage other risks. When organizations manage cyber risk in the same ways they address other perils, it makes sense for them to include insurance as one of their mitigation tools.
What cybersecurity insurance can cover
Today, cyber insurance policies offer coverage beyond data breaches. They offer protection against a broad range of cyber threats. Some of the threats for which coverage may be available include the following.
Ransomware: Coverage is commonly available for ransomware payments and other types of cyber extortion. Bad actors often use malware to deny users access to their systems and threaten to disclose sensitive information publicly. The FBI discourages victims from paying ransoms because there is no guarantee that the hackers will remove the malicious software or restore the data.
BEC and social engineering attacks: Many cybersecurity policies cover business email compromise (BEC)and other social engineering attacks. In a classical BEC scam, hackers trick employees to make wire transfers to the hacker’s bank account using an organization’s leader’s compromised or spoofed email account. BEC scammers often target large organizations that do business globally.
Loss of business and other attack-related expenses: Loss of business income due to a cyberattack and additional direct costs such as forensic expenses can be covered under cybersecurity insurance policies. In some cases, policies cover the insured company for losses from an attack on a third-party such as a vendor or partner. This coverage is essential given today’s complex supply chain ecosystem.
Damaged reputation: Many companies rely on the trust of their customers, and being victimized by a cyberattack can cause a significant reduction in business for some time. Damaged reputation coverage compensates the insured for lost income caused by damage to their reputation following a cybersecurity event for a specified duration.
Corporate Identity Theft: Coverage may be available for losses incurred due to fraudulent use of the company’s digital identity. These crimes may be in the form of fraudulently established credit or illegally signed contracts.
Leadership Liability: Coverage may be available for senior executives to protect them if they are sued in connection with a covered cyber event.
Cybersecurity insurance providers
Investopedia researched 15 top cyber insurance companies and settled on a list of five as their top picks for 2022. The criteria used were the comprehensiveness of their cyber protections, reputations, and ratings.
- Best Overall: AmTrust Financial
- Best for Healthcare Professionals: The Doctors Company
- Best for Law Firms: The Hartford Steam Boiler Inspection and Insurance Company
- Best for Non-profits: CyberPolicy
- Best for Retailers: Travelers
NS Insurance reports that global rating agencies Fitch and Standard & Poor claim the US cybersecurity insurance market is concentrated in 15 companies. By size, these companies are shown below.
- AXA XL
- BCS Insurance Co.
- Liberty Mutual
- Zurich American
- Tokio Marine US
- The Hartford
- Sompo International
- Fairfax Financial
- Berkshire Hathaway
In the short space of about two decades, cyber insurance has gone from a mostly abstract idea considered a necessity by very few organizations to an exploding business insurance segment. It has become something nearly every business leader thinks about, and many have purchased it.
As the rate and severity of cyberattacks rapidly increase, a tsunami of vulnerabilities inundates security teams, and 100 percent cybersecurity is impossible. No organization is immune from ransomware, malware, DDoS attacks, and a host of other cyber threats.
Organizations can accept the risk of financial loss from a cyberattack, avoid risky endeavors, adhere to recommended cyber hygiene procedures, and apply security control measures. Still, some risk remains.
To address residual cyber risk, many companies have turned to the same tools they have always used to combat other types of risk; this includes the transference of the risk to an insurance company.