Growing awareness of broader cyber risks, such as impact of business interruption, as well as regulatory change, will propel future rapid growth of cyber insurance. Meanwhile, as technology becomes even more engrained in everyday life and business, new risks will emerge.
> Download the full publication "A Guide to Cyber Risk"
The cyber insurance market has grown rapidly over the past decade, prompted by the introduction of mandatory notification requirements in a growing number of US states.
California was the first to introduce mandatory notification, which has now spread to over 90% of US states. As a result, the cyber insurance market is now estimated to be worth around $2bn in premium worldwide, with US business accounting for approximately 90%.
“The cyber market is growing by double-digit figures year-on-year, and could reach $20bn or more in the next 10 years,” says Nigel Pearson, Global Head of Fidelity, AGCS, who notes that fewer than 10% of companies are thought to purchase cyber insurance today.
“Growth in the US is already underway as data protection regulations help focus minds, while legislative developments and increasing levels of liability will see growth accelerate in the rest of the world.”
Growth will also come as a broader range and size of companies purchase cyber insurance. As awareness of the risks grow they will increasingly examine their risk transfer options.
For example, sectors that hold large volumes of personal data, such as healthcare and retail, or sectors relying on digitalized IT/operational technology processes such as logistics, manufacturing and telecommunications, are currently most likely to buy cyber insurance. However, there is growing interest among financial institutions and the energy, utilities and transport sectors, driven by the increasing perils posed by interconnectivity.
Early adopters have tended to be larger companies with more sophisticated risk management, but an increasing number of small- to medium-sized enterprises (SME) will also purchase cyber insurance in future.
Growth in the cyber insurance market will also be driven by increasing demand for business interruption (BI) coverage.
“When discussing cyber risk many people focus on the liability and data protection risks. But for many companies this will not be the most critical cyber exposure,” says Georgi Pachov, Global Practice Group Leader Cyber, CUO Property, AGCS.
“Awareness of BI risks and insurance related to cyber and technology is increasing. Within the next five to 10 years BI will be seen as a key risk and a major part of the cyber insurance landscape.”
Supply chain impact
Today, many companies are concentrating on managing and insuring cyber risks within their own organization. However, they will increasingly look to extend insurance cover to their supply chains, Pachov predicts.
“Business exchanges with partners are increasingly electronic,” explains Jens Krickhahn, Practice Leader, Cyber & Fidelity at AGCS Financial Lines Central & Eastern Europe.
“Even if a company is confident in its own IT controls, it
is still exposed to cyber risk through its business partners,
contractors and supply chains”
“Even if a company is confident in its own IT controls, it is still exposed to cyber risk through its business partners, contractors and supply chains,” he says.
Companies need to be clear about the impact a cyber incident could have on their supply chain, the liability they could face if they cannot deliver their products in time or if they lose customer data, any jurisdictional laws which might apply, as well as the costs for hiring lawyers, IT experts and public relations experts to resolve any issues.
A large loss is on its way
While there have been some very large data breaches, there has yet to be a major cyber event of truly catastrophic proportions. “There is the potential for a catastrophic cyber-attack or a major cyber-risk aggregation event, but exactly what it will look like is difficult to predict,” says Pearson.
The impact could be severe. An attack or incident resulting in a huge data loss, BI or reputational damage could potentially put a large corporation out of business. A major data breach or network outage for a cloud service provider, could cause business disruption for hundreds of companies. Another catastrophic scenario could result from a successful attack on the core infrastructure of the internet. Other scenarios could see an incident involving an energy or utility company resulting in a significant outage, physical damage or even loss of life in future, while a cyber war between two countries could disrupt services around the world.
A catastrophic cyber event could generate significant losses. However, at the same time it would also raise awareness and ultimately boost demand for cyber insurance, Pearson predicts.
Private/public cyber collaboration
Unsurprisingly, such concerns about the economic impact of cyber risk, and risk to critical infrastructure in particular, has attracted the attention of governments. In the US and Europe, governments have been encouraging companies to build their resilience to a cyber-attack, promoting cyber security standards and greater levels of co-operation including sharing data.
“Interest in protecting critical infrastructure is likely to see governments becoming increasingly involved in cyber security, with much greater levels of scrutiny and liability,” Pearson concludes.