cyber insurance

Because the cyber insurance market in many countries is relatively small compared to other insurance products, its overall impact on emerging cyber threats is difficult to quantify.{{Cite web|last=Toregas|first=Costis|date=|title=Insurance for Cyber Attacks: The Issue of Setting Premiums in Context|url=https://cspri.seas.gwu.edu/sites/g/files/zaxdzs1446/f/downloads/cyberinsurance_paper_pdf_0.pdf|url-status=live|archive-url=https://web.archive.org/web/20200727173341/https://cspri.seas.gwu.edu/sites/g/files/zaxdzs1446/f/downloads/cyberinsurance_paper_pdf_0.pdf |archive-date=2020-07-27 }} As the impact to people and businesses from cyber threats is also relatively broad when compared to the scope of protection provided by insurance products, insurance companies continue to develop their services.

As well as directly improving security, cyber insurance is beneficial in the event of a large-scale security breach. Insurance provides a smooth funding mechanism for recovery from major losses, helping businesses to return to normal and reducing the need for government assistance.Baban, Constance P.; Gruchmann, Yvonne; Paun, Christopher; Constanze Peters, Anna; Stuchtey, Tim H. (December 2017). “[https://www.bigs-potsdam.org/app/uploads/2020/06/PP_No7_Cyber-Insurance.pdf Cyber Insurance as a Contribution to IT Risk Management].” Brandenburg Institute for Society and Security gGmbH. Retrieved 27 January 2025.{{cite web |title=Cyber-Insurance Metrics and Impact on Cyber-Security |url=https://obamawhitehouse.archives.gov/files/documents/cyber/ISA%20-%20Cyber-Insurance%20Metrics%20and%20Impact%20on%20Cyber-Security.pdf |website=ObamaWhiteHouse.gov |access-date=26 March 2025}}

As a side benefit, many cyber-insurance policies require entities attempting to procure cyber insurance policies to participate in an IT security audit before the insurance carrier will bind the policy. This will help companies determine their current vulnerabilities and allow the insurance carrier to gauge the risk they are taking on by offering the policy to the entity. By completing the IT security audit the entity procuring the policy will be required, in some cases, to make necessary improvements to their IT security vulnerabilities before the cyber-insurance policy can be procured. This will in-turn help reduce risk of cyber crime against the company procuring cyber insurance.{{Cite journal |last1=Tsohou |first1=Aggeliki |last2=Diamantopoulou |first2=Vasiliki |last3=Gritzalis |first3=Stefanos |last4=Lambrinoudakis |first4=Costas |date=2023-06-01 |title=Cyber insurance: state of the art, trends and future directions |url=https://doi.org/10.1007/s10207-023-00660-8 |journal=International Journal of Information Security |language=en |volume=22 |issue=3 |pages=737–748 |doi=10.1007/s10207-023-00660-8 |issn=1615-5270 |pmc=9841933 |pmid=36684688}}

Finally, insurance allows cyber-security risks to be distributed fairly, with the cost of premiums commensurate with the size of expected loss from such risks. This avoids potentially dangerous concentrations of risk while also preventing free-riding.

According to Josephine Wolff’s research into the history of cyber insurance, its origins trace back to an April 1997 International Risk Insurance Management Society convention at which Steven Haase presented the launch of the first cyber insurance product, including first and third party coverages.{{Cite web |last=Wolff |first=Josephine |date=August 30, 2022 |title=A Brief History of Cyberinsurance |url=https://slate.com/technology/2022/08/cyberinsurance-history-regulation.html |access-date=September 29, 2024 |website=Slate}}{{Cite web |last=Williams |first=Carl |date=June 7, 2024 |title=How Steven Haase Pioneered Cyber Insurance and Shaped an Industry |url=https://www.techtimes.com/articles/305455/20240607/how-steven-haase-pioneered-cyber-insurance-and-shaped-an-industry.htm |access-date=September 29, 2024 |website=Tech Times}}{{Cite web |last=Szczepanski |first=Kevin |date=March 2, 2022 |title=Barclay Damon Live Presents: The Cyber Sip Podcast, Episode 8: State of the Market – Cybersecurity Insurance, With Kelly Geary |url=https://www.barclaydamon.com/files/28754_cyber_sip_transcriptep8.pdf |access-date=September 29, 2024 |website=Barclay Damon}} Haase first came up with the concept of cyber insurance a few years earlier and had discussed it with various industry colleagues at times, but this 1997 event marked a breakthrough moment when the first cyber insurance policy and underwriting platform were actually launched. The event resulted in the creation of the first policy designed to focus on the risks of internet commerce, which was the Internet Security Liability (ISL) policy, developed by Haase and underwritten by AIG.{{Cite web |last=Wolff |first=Josephine |date=August 30, 2022 |title=A Brief History of Cyberinsurance |url=https://slate.com/technology/2022/08/cyberinsurance-history-regulation.html |access-date=September 29, 2024 |website=Slate}} Around this same time, in 1999, David Walsh founded CFC Underwriting in the United Kingdom, a company which treats cyber as one of its main focus areas.{{Cite web |last=Gagan |first=Mark |date=January 18, 2022 |title=The Voice of Insurance Podcast, Episode 107: David Walsh and Graeme Newman of CFC Underwriting: Build Your Own |url=https://thevoiceofinsurance.podbean.com/e/ep-107-david-walsh-and-graeme-newman-of-cfc-underwriting-build-your-own/ |access-date=September 29, 2024 |website=PodBean}}{{Cite web |last=Frost |first=Jen |date=November 29, 2023 |title=CFC CEOs Newman and Walsh to depart after Lloyd's investigation |url=https://www.insurancebusinessmag.com/ca/news/breaking-news/cfc-ceos-newman-and-walsh-to-depart-after-lloyds-investigation-468328.aspx |access-date=September 29, 2024 |website=Insurance Business Magazine}} Chris Cotterell founded Safeonline around the same time, which soon became another significant player in the cyber insurance space.{{Cite web |last=Bronson |first=Caitlin |date=April 23, 2015 |title=Five minutes with…Chris Cotterell, Safeonline LLP |url=https://www.insurancebusinessmag.com/us/news/breaking-news/five-minutes-withchris-cotterell-safeonline-llp-22200.aspx |access-date=September 29, 2024 |website=Insurance Business Magazine}}{{Cite web |title=SafeOnline |url=https://www.insurancebusinessmag.com/uk/special-reports/uk-specialty-brokerages-2016/safeonline-36387.aspx |access-date=September 29, 2024 |website=Business Insurance Magazine}} The early meeting between Haase and 20 industry colleagues in Hawaii is now commonly referred to as the “Breach on the Beach” and is considered a pivotal moment at which cyber insurance was first recognized and celebrated.{{cite book | last1=Wolff | first1=Josephine | doi=10.7551/mitpress/13665.003.0006 |doi-access=free | chapter=Breach on the Beach: Origins of Cyberinsurance | title=Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks | date=2022 | pages=27–62 |publisher=MIT Press | isbn=978-0-262-37075-2 }}{{Cite web |last=Wolff |first=Josephine |date=August 30, 2022 |title=A Brief History of Cyberinsurance |url=https://slate.com/technology/2022/08/cyberinsurance-history-regulation.html |access-date=September 29, 2024 |website=Slate}}

After a significant malware incident in 2017, however, Reckitt Benckiser released information on how much the cyberattack would impact financial performance, leading some analysts to believe the trend is for companies to be more transparent with data from cyber incidents.{{cite news |last1=Daneshkhu |first1=Scheherazade |title=Reckitt seeks to quantify havoc of malware attack |url=https://www.ft.com/content/c4a63082-6264-11e7-91a7-502f7ee26895 |accessdate=24 August 2017 |work=Financial Times |issue=7 July 2017}} Purchases of cyber insurance has increased due to the rise in internet-based attacks, such as ransomware attacks. Government Accountability Office, "Insurance clients are opting in for cyber coverage—up from 26% in 2016 to 47% in 2020. At the same time, U.S. insurance entities saw the costs of cyberattacks nearly double between 2016 and 2019. As a result, insurance premiums also saw major increases."{{Cite web |last=Office |first=U. S. Government Accountability |date=2023-09-27 |title=Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability {{!}} U.S. GAO |url=https://www.gao.gov/blog/rising-cyberthreats-increase-cyber-insurance-premiums-while-reducing-availability |access-date=2024-01-30 |website=www.gao.gov |language=en}}

A key area to manage risk is to establish what is an acceptable risk for each organization or what is 'reasonable security' for their specific working environment. Practicing 'duty of care' helps protect all interested parties - executives, regulators, judges, the public who can be affected by those risks. The Duty of Care Risk Analysis Standard (DoCRA){{Cite web|url=https://docra.org/|title=Duty of Care Risk Analysis Standard|last=|first=|date=|website=The DoCRA Council|access-date=|archive-url=https://web.archive.org/web/20180814170112/https://docra.org/|archive-date=2018-08-14|url-status=dead}} provides practices and principles to help balance compliance, security, and business objectives when developing security controls.

Legislation

In 2022, Kentucky and Maryland enacted insurance data security legislation based upon the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law (MDL-668).{{Cite web |last=NAIC |title=INSURANCE DATA SECURITY MODEL LAW |url=https://content.naic.org/sites/default/files/inline-files/MDL-668.pdf |website=NAIC}} Maryland's SB 207{{Cite web |title=Maryland Senate Bill 207 |url=https://legiscan.com/MD/bill/SB207/2022 |website=LegiScan}} takes effect on October 1, 2023. Kentucky's House Bill 474{{Cite web |title=House Bill 474 |url=https://apps.legislature.ky.gov/record/22RS/hb474.html |website=Kentucky General Assembly}} goes into effect on January 1, 2023.

During 2005, a “second generation" of cyber-insurance literature emerged targeting risk management of current cyber-networks. The authors of such literature link the market failure with fundamental properties of information technology, specially correlated risk information asymmetries between insurers and insureds, and inter-dependencies.{{cite journal|last1=Schwartz|first1=Galina|last2=Bohme|first2=Rainer|title=Modeling Cyber-Insurance|journal=In Proceedings of WEIS, 2010}}

According to Josephine Wolff, cyber insurance has been "ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable."{{cite book |last1=Wolff |first1=Josephine |title=Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks |date=2022 |publisher=MIT Press |isbn=978-0-262-37075-2 |doi=10.7551/mitpress/13665.001.0001 |doi-access=free}}

FM Global in 2019 conducted a survey of CFOs at companies with over $1 billion in turnover. The survey found that 71% of CFOs believed that their insurance provider would cover "most or all" of the losses their company would suffer in a cyber security attack or crime. Nevertheless, many of those CFOs reported that they expected damages related with cyber attacks that are not covered by typical cyber attack policies. Specifically, 50% of the CFOs mentioned that they anticipated after a cyber attack a devaluation of their company's brand while more than 30% expected a decline in revenue.{{Cite web|last=Global|first=F. M.|date=30 July 2019|title=Cyber insurance may create false sense of security among senior financial executives at world's top companies, suggests FM Global survey|url=https://newsroom.fmglobal.com/releases/cyber-insurance-may-create-false-sense-of-security-among-senior-financial-executives-at-worlds-top-companies-suggests-fm-global-survey|url-status=live|access-date=|website=FM Global|language=en-US|archive-url=https://web.archive.org/web/20200920110949/https://newsroom.fmglobal.com/releases/cyber-insurance-may-create-false-sense-of-security-among-senior-financial-executives-at-worlds-top-companies-suggests-fm-global-survey |archive-date=2020-09-20 }}

Like other insurance policies, cyber insurance typically includes a war exclusion clause - explicitly excluding damage from acts of war. While the majority of cyber insurance claims will relate to simple criminal behaviour, increasingly companies are likely to fall victim to cyberwarfare attacks by nation-states or terrorist organizations - whether specifically targeted or simply collateral damage. After the US and UK, governments characterized the NotPetya attack as a Russian military cyber-attack insurers are arguing that they do not cover such events.{{cite news |last1=Satariano |first1=Adam |title=Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong. |url=https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html |accessdate=25 April 2019 |work=New York Times |date=15 April 2019}}{{cite news |last1=Osborne |first1=Charlie |title=NotPetya an 'act of war,' cyber insurance firm taken to task for refusing to pay out |url=https://www.zdnet.com/article/notpetya-an-act-of-war-cyber-insurance-firm-taken-to-task-for-refusing-to-pay-out/ |accessdate=25 April 2019 |work=ZDNet |date=11 January 2019}}{{cite news |last1=Menapace |first1=Michael |title=Losses From Malware May Not Be Covered Due To Your Policy's Hostile Acts Exclusion |url=https://www.natlawreview.com/article/property-insurance-cyber-insurance-coverage-and-war-losses-malware-may-not-be-0 |accessdate=25 April 2019 |work=The National Law Review |date=10 March 2019}}

In a recent academic effort, researchers Pal, Madnick, and Siegel from the Sloan School of Management at the Massachusetts Institute of Technology were the first to analyze the economic feasibility of cyber-CAT bond markets. They applied economic theory and data science to propose conditions under which is it economically efficient to either have re-insurance markets transferring risk (without the existence of CAT bond markets), CAT bond markets transferring risk (in the presence of re-insurance markets), or self-insurance markets (in the absence of re-insurance and CAT bond markets) to cover residual cyber-risk.{{cite book |last1=Pal |first1=Ranjan |last2= Madnick | first2=Stuart |last3=Nag |first3=Bodhibrata |chapter=Catastrophe Bond Trading Can Boost Security Improving Cyber (Re-)Insurance Markets|title=AMCIS 2023 Proceedings |chapter-url=https://aisel.aisnet.org/amcis2023/sig_sec/sig_sec/6?utm_source=aisel.aisnet.org%2Famcis2023%2Fsig_sec%2Fsig_sec%2F6&utm_medium=PDF&utm_campaign=PDFCoverPages |date=2023}}{{cite book |last1=Pal |first1=Ranjan |last2=Nag |first2=Bodhibrata |chapter=A Mathematical Theory to Price Cyber-Cat Bonds Boosting IT/OT Security |title=WSC '23: Proceedings of the Winter Simulation Conference |chapter-url=https://dl.acm.org/doi/10.5555/3643142.3643196 |date=2023|pages=648–659 |isbn=979-8-3503-6966-3 }}

As of 2019, the average cost of cyber liability insurance in the United States was estimated to be $1,501 per year for $1 million in liability coverage, with a $10,000 deductible.{{cite news |last=Lerner|first=Matthew|date=September 19, 2019 |title=Average costs of cyber liability insurance studied|url=https://www.businessinsurance.com/article/20190919/NEWS06/912330752/Average-costs-of-cyber-liability-insurance-studied |newspaper=Business Insurance |access-date=January 7, 2021}} The average annual premium for a cyber liability limit of $500,000 with a $5,000 deductible was $1,146, and the average annual premium for a cyber liability limit of $250,000 with a $2,500 deductible was $739.{{cite news|last=Mak|first=Adrian|date=September 17, 2019|title=Average Cost of Cyber Insurance|url=https://advisorsmith.com/data/average-cost-of-cyber-insurance/|publisher=AdvisorSmith|accessdate=January 7, 2021}} In addition to location, the main drivers of cost for cyber insurance include the type of business, the number of credit/debit card transactions performed, and the storage of sensitive personal information such as date of birth and Social Security numbers.

{{Reflist}}

{{Insurance}}

Category:Internet security

Category:Types of insurance