Washington, D.C. – The market for cyber insurance, a product that did not even exist before the mid-1990s, is booming.
A new report from the Bipartisan Policy Center’s insurance task force, Cyber Insurance: A Guide for Policymakers, looks at the need to create a well-functioning market for cyber insurance and the obstacles that must be overcome.
The recent and anticipated growth in the cyber insurance market is due, in large part, to the growth in cyber attacks, which carry a significant cost. But it has been difficult for insurers to assess how much risk they are insuring against from these attacks.
Obstacles to the further development of the cyber insurance market include improving the collection and sharing of high-quality data on cyber incidents, the potential for catastrophic losses that could result from attacks on whole sectors of the economy, and the difficulty of protecting against fast-changing hacking technology. Even companies that know they need cyber insurance are not always clear on how much coverage they need or are getting.
“In general, the cyber insurance market would benefit from greater standardization, such as of terminology, policy language, and best practices for cyber hygiene,” the report said.
Cyber Insurance: A Guide For Policymakers
The market for cyber insurance, a product that did not even exist before the mid-1990s, is booming. According to the Insurance Information Institute, the U.S. cyber insurance market generated about $2 billion in premiums in 2014. Some experts estimate that premiums will increase to $7.5 billion by 2020.1 High-profile hacks on confidential customer data and prominent companies—like Sony, Target, Apple, multiple large banks, as well as the Department of Defense and U.S. Office of Personnel Management—have raised concerns about the integrity of the personal data entrusted to firms and government agencies. These cyber incidents also raise alarms among policymakers and regulators, who understand that the attacks threaten economic activity, financial markets, and U.S. national security.
In response to these attacks, companies are upgrading their systems and purchasing cyber insurance protection. Government interest is also driving the growth of the market. Nearly all states, for example, now require companies to notify customers of cyber breaches. Cyber insurance is also growing globally, as the European Union is expected to implement cybersecurity rules in the near future. Another dynamic increasing the demand for cyber insurance is the growing realization among directors and officers of companies that they could be held personally liable for cyber attacks.
In this issue brief, the Bipartisan Policy Center’s insurance task force starts with the premise that a well-functioning market for cyber insurance, one that offers a robust range of products that meet the needs of consumers in a competitive environment, would benefit consumers, businesses, and national security. Reaching that goal will require overcoming some difficult obstacles. This paper provides a guide to policymakers on how best to address these obstacles and facilitate a well-functioning cyber insurance market in the United States.
The recent and anticipated growth in the cyber insurance market is due, in large part, to the growth in cyber attacks. In 2014, there were 783 reported data breaches in the United States, and those breaches exposed 85.6 million records.2 There were likely many more breaches that went unreported. These attacks carry a significant cost. One report estimated the annual cost of cybercrime to the global economy is between $375 billion and $575 billion per year.
One of the chief obstacles in the further development of the cyber insurance market is defining what constitutes cyber insurance. Among the elements a cyber insurance protection policy can include are:
- Liability for a security or privacy breach, such as when confidential customer information is compromised
- Costs of notifying customers of a breach and providing them support services
- Losses from business interruption following an attack
- Costs for restoring or replacing lost or damaged data
- Liability for directors and officers of a company targeted by an attack
- Costs associated with settling cyber extortion threats
Given these various risks, cyber insurance policies are often customized for individual firms rather than sold as standard policies. Also, since the market is relatively young, policy terms have not been standardized through judicial interpretations.
Obstacles to a Healthy Cyber Insurance Market
The central obstacle to a robust, well-functioning cyber insurance market is the inability of both insurers and insureds to know exactly how much risk is involved in cyber attacks. The difficulty in underwriting cyber insurance means that the supply and demand for insurance coverage may be significantly mismatched to actual risk. If insurers underestimate the risk that they are insuring, they may face heavy losses for one or more insurable events. On the other hand, if they overestimate the risk they are insuring, they may not offer enough insurance to meet demand or offer it at excessive premiums that deter potential customers from purchasing the coverage they need to mitigate risk.
A number of factors contribute to the difficulty in underwriting cyber insurance.
Lack of Data
At a basic level, there is a lack of high-quality data about how many cyber incidents are taking place and how much damage those incidents are causing to firms and the economy as a whole. As noted above, there are some general estimates of the number and cost of breaches, but there is no established mechanism for companies and government agencies to share data with each other. Last year, Congress did enact cybersecurity legislation that should help to address this gap and lead to more data sharing on certain kinds of cyber incidents once the law is implemented.
Yet, the data challenge goes beyond tracking attacks and sharing information. Some companies that are hacked do not realize it and so never report those attacks. Other companies prefer to keep knowledge of attacks private, fearing reputational damage. Still others realize that they were attacked but are not able to fully assess the damage done. In short, the assessments being made today about the scope and significance of cyber risk are educated guesswork.
Difficulties in Threat Modeling
The evolving nature of cyber threats also makes it difficult to assess underwriting risk. Good data about past events that triggered claims gives insurers the opportunity to model the likelihood of future losses. But even if the ability to understand and model past cyber threats improves materially, there will still be uncertainty in assessing future risk because the nature of cyber threats can change so rapidly. A foreign government or activist hacker group could announce it had both a new technology for which there was no defense and a plan to undermine major U.S. corporations. In turn, these events could destabilize financial markets and have a disruptive impact on both insurers and the corporations that may be subject to attacks.
Problems do not arise just from external sources. Many cyber incidents can be traced to employees who either knowingly or unwittingly opened a window to allow an attack. A company laptop that is inadvertently left at an airport can become a tool for hackers. Each time a firm hires a new employee with access to critical systems, its risk profile immediately changes. Managing these internal risks will remain a challenge for companies and insurers.
The effectiveness of modeling will depend on the stability and predictability of the technology used for cyber attacks. If attacks retain a significant degree of unpredictability, then pricing future risk will remain problematic.
The primary problem for insurers to solve may be aggregation risk, or the risk that they will have to pay a large number of unexpected claims within a short period of time due to related losses, such as those that follow an earthquake or hurricane. Insurers are used to focusing on the risks of insuring a specific firm, but they are not as used to focusing on the risks to the entire insurance industry from vulnerabilities that affect many companies at the same time.
An example of this aggregation risk would be if most of the major firms in a sector—such as power utilities or financial institutions–used the same control software, enterprise risk-management strategy, or IT infrastructure. A cyber attack on a vulnerability in any of those systems could affect an entire sector at once, potentially resulting in huge simultaneous losses for the insurance industry. One 2015 report estimated that a major cyber attack on the U.S. power grid could result in $21.4 billion to $71 billion in claims paid by the insurance industry, with a much larger impact on the U.S. economy.5 In this sense, aggregation risk is systemic risk.
Policymakers have addressed aggregation risk in some other contexts. In response to the terrorist attacks on September 11, 2001, Congress enacted the Terrorism Risk Insurance Act (TRIA) in order to sustain a viable private market for the many parts of the economy that would require terrorism risk insurance. TRIA provides a government backstop for extreme-loss scenarios. Similarly, the federal flood insurance program provides subsidized insurance coverage for homeowners and businesses in flood zones. In contrast to flood insurance, insurance against most other disasters, which also can result in huge, aggregated losses, has largely been sold on the private market. However, the aggregation risk from most disasters can be limited because the damage they cause is generally restricted to specific geographical regions. The same is not usually true of cyber risk.
The lack of quality data on cyber attacks is exacerbated by aggregation risk, which can be difficult to identify and manage. If it cannot be successfully managed, the result could be an insufficient supply of coverage that does not satisfy the needs of the market or a risk of catastrophic losses that the insurance industry cannot handle.
Lack of Understanding of What Is Covered
Even companies that know they need cyber insurance are not always clear on how much coverage they need or are getting. Cyber attacks make one think of virtual damage, but a computer virus can cause physical property damage as well, such as when the Stuxnet virus damaged machinery used in Iran’s nuclear program. A firm may believe it is protected by general liability coverage when its policy actually excludes cyber attacks, or the language of the policy is ambiguous and results in denied claims. Some firms may be unaware of the different kinds of losses to which they are vulnerable and only be covered for some of them.
This problem is magnified by the fact that cyber insurance is generally not standardized or sold as a single policy. Coverage is usually tailored to the individual circumstances of specific firms and is cobbled together with different policies that address different kinds of cyber threats. For instance, a company may find it necessary to buy separate policies that address business interruption, customer-response costs, and protection from data loss due to cyber attacks.
The absence of standardized cyber insurance policies also can expose insurers to unanticipated risks. A policy may be deemed to cover losses from cyber attacks simply because that risk is not specifically excluded in the policy. Insurers that sell such a policy may even be unaware of the risk they have taken on with regard to cyber attacks. In 2012, for example, a court ordered AIG to pay almost $7 million in damages to DSW Shoe Warehouse. The court rejected AIG’s argument that DSW’s crime insurance policy excluded coverage for hacking DSW’s computer system.6 Insurers less well versed in the ins and outs of cyber insurance could find themselves insuring more cyber risk than they realized.
Lack of a Common Vocabulary
The lack of a common vocabulary associated with cyber threats has contributed to the absence of standardized insurance policies. Many of the basic terms related to cyber threats have not been well defined. For example, what exactly constitutes a “cyber incident”? What are “critical infrastructure,” “hacking,” and “data breaches”? These terms may seem like common sense, but that standard is not good enough when it results in a misunderstanding between a policyholder and an insurer on what precisely constitutes a cyber attack and will trigger a claim.
TRIA policies illustrate this problem. Coverage for cyber attacks under TRIA policies is not settled. TRIA likely does not cover cyber attacks per se, but it likely would cover certain cyber-related damages that would normally be covered by terrorism insurance.7 Another problem is how to label the attack. Is it “terrorism” or is it a “cyber attack”? The group that hacked Sony Pictures Entertainment in 2014 initially convinced many that the attack was sponsored by North Korea as an act of terrorism, in retaliation for a specific film produced by Sony, but many experts have since questioned that conclusion. It can take years to determine who was behind an attack, and sometimes investigators never know with certainty. Such cases make it hard to know whether the responsibility to cover losses will fall to the insurance industry or to TRIA. It is important not just to develop a common vocabulary, but also one that is adaptable to address uncertain and unforeseen future scenarios.