In a world where security breaches and cyber attacks have increased in recent years, businesses are looking for new ways to defend themselves.
As a result, cyber insurance has become a popular method of protection, with the industry growing around 20 per cent year over year and the potential to be a $20 billion marketplace in the next five years, according to UK-based specialist insurance company, Beazley plc.
“There’s been a groundswell of cyber insurance being purchased over the last five years, but it’s been around for quite some time,” Bob Wice, US focus group leader for technology, media and businesses services at Beazley, tells IT World Canada. “Of course, every large breach or attack on a global level drives more buyers into the market, and with that happening more frequently, cyber insurance coverage has become fairly robust.”
But what exactly is cyber insurance? As Wice explains, it began as a way to fill the gaps in traditional insurance policies back in the 1990’s when the Internet developed into a business and consumer medium.
“All the traditional kinds of insurance coverage never talked about computer viruses, cyber extortion threats, hacking activity, or malicious code, and it became obvious pretty quickly that a new line of coverage and policy would need to be constructed to fill those gaps,” he explains. “But as all industries, it started off niche, and remained very narrow for years.”
He says that for much of the early 2000’s, companies that experienced security breaches believed they were the sole victims. But that notion transformed in 2005 when California – and later, 44 other states – enacted a law saying if there’s a suspicion of an unauthorized disclosure of Californian residents’ personal information, the organization entrusted with that information needs to notify its customers who may have been affected.
“This legislation change essentially put companies in the position where, if their security and privacy controls failed, they would be subject to real costs and real penalties,” Wice points out. “Companies were required to figure out what happened and what the cause of the breach was, which meant they needed technical experts to come investigate, as well as legal experts to determine how to move forward. And on top of all of that, they also had to start offering customers something from a crisis management standpoint that was more than just ‘hey, we messed up, sorry, won’t happen again.’”
He continues to say that by recognizing customers were in a vulnerable position because of their security breach, and the costs associated with that, companies began demanding a special kind of insurance for this exposure and risk.
“Here at Beazley, for example, our cyber insurance is a service that puts a breached company in a position to mitigate their loss and save their image, because the importance of responding to a breach in a concerted, informed, and transparent way is critical to a company’s reputation,” Wice adds. “We offer a package that connects companies to a suite of legal, technical, financial, and crisis management experts that, before the insurance, a company would have been scrambling to find at a time of panic and disarray.”
The original cyber insurance policies targeted the middle market, such as retailers, schools, the hospitality sector, and healthcare organizations, which generally had no experience responding to security breaches or the resources to deal with one, but that soon expanded. Now, the market is worth approximately $2 to $3 billion in revenue with more than 40 different providers of cyber-specific insurance across North America, and that number continues to grow as opportunities for its use continue to rise.
“Cyber insurance products and services have become mainstream as so many industries get hit hard by breaches. After Target was hit in December 2013, there was a groundswell of brick and mortar retailers buying coverage to protect their point of sale credit card processing devices. Then Sony was breached in 2014, which made a lot of big tech corporations nervous, and Ashley Madison in 2015, which resonated with a lot of digital-first businesses,” Wice highlights.
And with the most recent global ransomware WannaCry threatening everything from the UK’s National Health Service to FedEx, which resulted in “significant business interruptions and downtime,” companies both large and small are now looking at cyber insurance “as a less-than-optional purchase.”
“Modern viruses and ransomware really puts companies in a position where if they don’t pay or figure out how to overcome the attack, they risk losing data, which would mean they can’t conduct business the way they normally would. All of this has resulted in cyber insurance being a growth area for the insurance business, as well as an opportunity for insurance companies to really build a new line of coverage that’s been really not seen before,” Wice concludes.