Cyberrisk: Threat and Opportunity

By Robert Hartwig & Claire Wilkinson of the Insurance Information Institute

November 1, 2016

Executive Summary

Interest in cyber insurance and risk continues to grow beyond expectations in 2016 in part due to high profile data breaches, but also due to awareness of the almost endless range of exposures businesses face.

  • The Panama Papers global breach underscored the importance of having a robust insurance program and security strategy.
  • Breaches targeting medical/healthcare providers continue apace. A ransomware attack in February against a Hollywood, California, hospital forced its computer systems offline for more than one week. While patient records were not compromised, the hospital paid a ransom to the hacker to regain control of its systems.
  • Insurers are also coming under attack. Two high profile breaches in 2015 targeted health insurers Anthem and Premera Blue Cross, exposing data on 78.8 million and 11 million customers, respectively.
  • The U.S. government has also been targeted by hackers. Recent breaches at the Federal Deposit Insurance Corp (FDIC) and the Internal Revenue Service follow multiple breaches in May 2015 of The Office of Personnel Management and Interior Department systems that compromised the records of 22 million current and former civilian U.S. government employees.

Attacks and breaches have grown in frequency, and loss costs are on the rise. In 2015, the number of U.S. data breaches tracked totaled 781—the second highest year on record—with 169 million records exposed. In the first half of 2016, some 507 data breach events have been publicly disclosed as of July 7, with 12.8 million records exposed. These figures do not include the many attacks that go unreported. In addition, many attacks go undetected. Despite conflicting analyses, the costs associated with these losses are increasing. McAfee and CSIS estimated the likely annual cost to the global economy from cybercrime is $445 billion a year, with a range of between $375 billion and $575 billion.

Insurers are issuing an increasing number of cyber insurance policies and becoming more skilled and experienced at underwriting and pricing this rapidly evolving risk. They are also working with catastrophe modelers to develop a standardized approach to identify, quantify and report exposure data across the industry. More than 60 carriers now offer stand-alone cyber insurance policies, and it is estimated the U.S. market is worth over $3.25 billion in gross written premiums in 2016, with some estimates suggesting it has the potential to grow to $7.5 billion.

Some observers believe that exposure is greater than the insurance industry’s ability to adequately underwrite the risk. Attacks have the potential to be massive and wide-ranging due to the interconnected nature of this risk, which can make it difficult for insurers to assess their likely severity. The underreporting of attacks means that accurately evaluating exposures is challenging. Several insurers have warned that the scope of the exposures is too broad to be covered by the private sector alone, and a few observers see a need for government cover akin to the terrorism risk insurance programs in place in several countries.

Continue reading>>