Cybersecurity Insurance – Part 4: Current General State of Cybersecurity Insurance

October 13, 2015

Data privacyAs insurers are becoming increasingly reluctant to provide coverage for data breach losses under CGL policies, they are writing more and more policies specific to cybersecurity, causing cybersecurity insurance to become the fastest growing segment of the industry. However, the unpredictable probability and costs of data breaches, among other factors, make cybersecurity insurance rather expensive. Premiums for cybersecurity insurance totaled $1 billion in 2012 and $1.3 billion in 2013. While the cost of cybersecurity insurance has just recently begun to go down to some degree, many businesses still consider it to be too costly.

One of the difficulties associated with the high costs of cybersecurity insurance is that it can put companies in a position where they will have to choose between spending money on cybersecurity insurance or investing in technology that will improve their cybersecurity. Should the insured purchase a cybersecurity insurance policy that indemnifies it against state sanctions, administrative fines, property damage, business interruption, and consumer lawsuits arising from a data breach, it would have little incentive to devote sufficient resources to its information security infrastructure.

This creates something of a lose-lose-lose scenario between (a) the parties entrusting their data to an insured; (b) the insurer; and (c) the insured itself. Those whose data are at stake are more likely to suffer from inadequate protection of their information; insurers may lose money by becoming liable for unexpectedly large or frequent data breaches on their insureds; and the insured is more likely to be hacked, which, even if monetary losses are covered, can result in long term reputational damages and internal disruption for a company.

West LegalEdCenter CLE WebinarMore reasonably priced premiums can help improve the situation. Offering lower premiums for companies with better cybersecurity would help incentivize companies to devote more resources to their cybersecurity infrastructure. The idea is that insurers are willing to offer reduced premiums to insureds who take steps to decrease the likelihood or extent of the insurer’s liability. This type of model is common in other fields of insurance. In the context of flood insurance for instance, elevating buildings above the community’s established base flood elevation will typically result in significantly lower flood insurance premiums for the building.

Differentiated premiums that correspond to the quality of the insured’s information security infrastructure do exist to some degree in the cyber insurance market, but are not standard, resulting in an inefficient marketplace. The difficulty with applying a differentiated premium model to the field of cyber insurance is that it can be difficult to assess what the actual cyber-risks are for a given company. There is often an information asymmetry between insurer and insured because the insurer typically does not have the resources to monitor an insured’s actions related to cybersecurity that may affect risks for which the insurer is liable. This can include “vital information regarding applications, software products installed by internet users and security maintenance habits, which correlate to the risk types of users.”

Adequately pricing premiums also requires a thorough understanding of cyber incident loss data, which is generally lacking because companies are often reluctant to make public their experiences with cybersecurity breaches. Many times the companies themselves are not even aware of breaches in their systems. As a result, it is difficult for insurers to know the actual frequency and extent of cyber-breaches that have taken place among potential insurance purchasers. This lack of information concerning cyber-threats makes it even more difficult for an insurer to assess the strength of a company’s cybersecurity infrastructure and offer correspondingly priced premiums.

More broadly, cyber-threats remain a relatively new phenomenon that is always changing. Even with reliable information sharing, insurers wouldn’t have all that much data to use in evaluating cyber-risks compared to something like floods, which have been happening for considerably longer. Moreover, even the data that insurers do have could become obsolete overnight. The state of cybercrime is constantly in flux as new technologies are rapidly developing and hackers are becoming more sophisticated.

With time more data is likely to become available for insurers to assess cyber-risk more accurately and we may see differentiated premiums become standard in the near future. Already technologies are being developed to help insurers become more informed about cyber risks. Yet, it remains important to be careful while navigating the cybersecurity insurance market and proceed with the most up-to-date information as possible.

In the next installment of the article I will provide an overview of important threat actors and tools to be aware of while in the process of obtaining a cybersecurity insurance policy.

Titles by Daniel Garrie