Cyber insurance is a rapidly growing business, but it is still a relatively small part of the overall U.S. property and casualty (P&C) insurance market. Today, U.S. businesses can get cyber insurance either as a standalone policy or as part of their general P&C coverage in a packaged policy. As the cyber market has matured, insurers have refined how these policies are underwritten and priced. However, there are fundamental aspects of cyber insurance that make it difficult for insurers to write and price policies that cover a broad swath of risks.

 

Lack of historical data & ability to predict the future of cyber risk

There is only a limited loss history for insurers to use when setting prices for cyber insurance premiums and coverage loss limits, and this introduces risk. When insurers set auto insurance premiums, for example, they can rely on a long history of accidents and damages to model the probability that a driver with a specific set of characteristics will get in an accident and then set premiums to cover this expected loss. Cyber insurers, working in a fast-developing market, instead rely on a number of indirect factors to try to price policies appropriately, including market estimates of the cost of cyberattacks, questionnaires to determine the riskiness of the insured, their own (often limited) underwriting experience, and pricing by other insurance companies. They also need to closely manage data quality, risk exposure and the appropriateness of historical data to define pricing and reserving.

 

Rapid evolution of hacking strategies

Cyberattacks are constantly evolving as both private and state-sponsored hackers develop new methods to infiltrate networks. The rapid evolution of hacking capabilities and strategies makes it difficult for insurers, which rely on clients having relatively consistent risk profiles, to assess the true risk of a potential client being hacked. The increased sophistication of hackers is evident, in that both the frequency and costs of cyberattacks have risen in recent years: In the U.S. the reported cost of the average cyberattack rose 29% from $21.2 million in 2017 to $27.4 million in 2018. Despite this, the cyber-insurance market remained profitable for underwriters.

 

Large-scale cyberattacks

Cyberattacks are highly scalable as they can potentially hit thousands of companies simultaneously, causing large interrelated losses for insurers. Due to the design of the internet, there are highly important central nodes. This type of network centralization creates two problems for cyber insurers. One type of problem would occur if an important service, such as a large cloud computing platform used by many policyholders, went down. The insurer may then have to pay claims on all of its policyholders at once.

​

Another problem cyber insurance faces is the possibility of cascading failures caused by a cyberattack. One common example of a cascading failure is an attack on a power grid, where the destruction of a piece of critical infrastructure leads to failures across the rest of the grid. Cyberattacks using self-reproducing malware can also spread across a network of computers. Such an attack occurred in 2017, when a piece of malicious Russian code dubbed NotPetya targeted Ukraine. By exploiting a vulnerability in Windows to gain control over unpatched computers, NotPetya then used this access to gain passwords of other machines on the network and jumped across the globe, causing over $10 billion in estimated damages. Such an attack could happen again, and it could be worse next time.

 

In conclusion, cyber insurance is a small but growing market. As cyberattacks become more frequent and more damaging, people and institutions are searching for cyber coverage that protects them from these risks. However, the cyber insurance industry faces significant challenges, including a lack of historical data, a lack of ability to predict the future of cyber risk, the possibility of large cascading loss events, uncertainties among market participants about what is specifically covered under such policies, and legal battles over fundamental issues. The future growth of the market will depend upon how these issues are resolved.