The White House Council of Economic Advisers (CEA) released a report in February, estimating the economic costs of malicious cyber activity on the U.S. economy. According to the report, cyberattacks, cyber thefts and other forms of cyber misbehavior caused between $57 billion and $109 billion in damage to the U.S. economy in 2016. By now the bottom line consequences of a cybersecurity incident are well understood, and as a result some companies are obtaining cyber liability insurance to protect themselves against these risks. However, as the cyber liability market is still maturing, prices continue to be expensive and meaningful actuarial data about cyber threats remain scarce.
In recent years, insurers have overwhelmingly moved to exclude cyber from general liability policies, effectively leaving companies exposed to a litany of risks associated with their digital infrastructure, technology assets and stored data. These exposures could include costs incurred by a company when responding to a cybersecurity incident, or litigation and regulatory penalties resulting from such an incident, or even cyber extortion and terrorism.
The range of potential costs is staggering and for now remains difficult to quantify. As a result, there is still a good deal of variation across cyber liability products when compared to more traditional forms of commercial insurance. Additionally, cyber liability insurance remains expensive. Industry commentators surveying businesses about their coverage report that premiums range from $1-80 thousand. Of course, the amount of premium paid by a specific company will depend on a host of factors—including its risk profile, the scope of coverage selected and coverage limits for the policy. One commentator suggests that businesses should expect to pay between $5-50 thousand a year for policies offering $1–10 million in cyber-related coverage.
While the cyber liability insurance pool remains relatively small—only $1.35 billion in direct written premium was written in 2016—there are many indicators that the market is growing. By the end of 2015, more than 130 insurance organizations had entered the market, and since that time the amount of direct written premium for cyber policies has been increasing year-over-year. Additionally, insurers are increasingly writing stand-alone cyber liability policies. In fact, more than two-thirds of cyber coverage was written on a stand-alone basis during 2016. This is encouraging as it will allow insurers to refine actuarial modeling and stabilize pricing for many of their cyber products.
A stable and robust cyber liability insurance market will not only help to protect the U.S. economy, it should also lead to better cybersecurity practices and infrastructure within U.S. companies. Frequently, when obtaining cyber liability coverage, a company will upgrade security assets, audit IT procedures and update or create IT security policies in order to reduce premium amounts. Time will tell if these economic and operational incentives will help the cyber liability insurance market continue to grow. One economic research organization recently estimated that only 20–35% of U.S. companies have purchased a cyber-oriented policy, so clearly there are still plenty of businesses out there who do not see cyber liability insurance as necessary and/or affordable. This will not be the case in the future if current trends persist.