How can companies insure against cyber risk?

Although more and more businesses are turning to cloud-based solutions, many do not have any leverage against the risks of the online environment. In the US, for example, while 80% of businesses rely on cloud technology, two-thirds of them do not have protection. With the cost of cyber breaches on the rise, businesses are looking for ways to mitigate the risks to their online operations. Could cyber security insurance be the answer?

In response to the rising number of threats, some carriers have already started to provide insurance against cyber threats and network disruption. Most policies are capped at $200 million, meaning that large-scale damage such as a “cyber Pearl Harbor” would not typically be covered by insurance policies. The majority of companies purchase policies with liabilities limited at between just $5 million and $20 million.

Not only are the protections capped, but there are also an increasing number of exclusions. In 2012, America’s Court of Appeals held a bank division liable for fraudulent transfers from a user’s account. The court stated that the user was not sophisticated enough to recognize a fraudulent activity and held the bank responsible for not providing adequate protection measures. After this precedent-setting court ruling, insurance providers are coming up with various policy exceptions.

Finally, to determine how effective companies are at limiting their exposure to cyber threats, risk and insurance companies conduct “maturity assessments”. The optimal frameworks for these assessments are still being debated and raise the issue of insurance pricing. So far there is no consensus on how to quantify and price cyber premiums, but for many small and medium enterprises, cyber insurance still remains unaffordable.

However, with the figures already cited, can companies afford not to have some sort of protection against cyber threats? Indeed, in a recent study, executives from the insurance industry ranked cyberattacks and cyber warfare among the top four extreme risks, along with a wide-scale pandemic, natural catastrophe and a food/water/energy crisis. And last year, almost half of US corporate boards named cyber security their top concern – nearly a double increase since 2008. It is perhaps for this reason that 77% of businesses that used cyber insurance say they would recommend it to other companies. And in addition to the 31% of large companies that have already purchased cyber insurance, another 39% are planning to purchase it. At the same time, until cyber breaches directly affect them, most businesses believe they can operate well without cyber insurance.

So where does cyber insurance go from here? As the number of attacks and their sophistication increases, the size of the cyber insurance market is expected to grow. In the US alone, the cyber insurance industry generates $1.3 billion per year. In Europe, the estimated annual industry revenue is $192mln and the market is expected to reach 900 million euro by 2018.  In the US, the White House supported developing cyber security insurance market for critical infrastructure companies. The European Union is debating the new regulation requiring the companies to report breaches, which is seen as another factor driving the demand for this type of insurance coverage.

But many questions remain unanswered. How should the premium be priced? What is the responsibility of businesses towards their clients? How can companies quantify reputational damage from cyberattacks? Whatever the answer to these questions, with security labs registering around 69 new pieces of malware per minute, businesses are increasingly aware of the need to remain resilient at all times.

Author: Elena Kvochko is Manager for IT Industry at the World Economic Forum   

Image: A magnifying glass is held in front of a computer screen. REUTERS/Pawel Kopczynski