Cyber insurance market growing with rising cyber threats

Image of a person staring glumly at his computer, with the words "Hacked" superimposed.

By Susan Rupe

Data breaches against multibillion-dollar companies make the headlines. Think Target, Starwood or Equifax, to name a few.

But smaller companies are not immune from a cyber attack. In fact, smaller businesses are often targeted by cyber criminals because of their size.

“Sometimes the small guys are the easiest target,” said Madison Mooney, business development specialist with cyberinsurer Coalition Inc. “Cyber criminals are getting in, getting the money and getting out.”

As technology becomes more advanced, bad actors find more ways to take advantage of companies, she said. “Cyber insurance is not just for protection but it enables businesses to safely undertake risks.”

Cyber insurance is the fastest-growing segment of the insurance market, Mooney said. The global cyber insurance market is expected to grow by 26% - to $84.6 billion – by 2023. Meanwhile, the global liability insurance market is projected to increase by 5.9% - to $418.8 billion – by 2023.

Cyber threat landscape dynamic

The cyber threat landscape is dynamic, Mooney said, with attacks coming from several different directions. The 2023 Coalition Claims Report found that phishing was the most common source of attack in the second half of 2022, with 78% of reported cyber attacks coming from phishing. Other sources of cyber attacks during that time included exploiting public-facing vulnerabilities (12%), external remote services (11%), and brute force or a trusted relationship (0.8% each).

“What we’re finding is with phishing driving cyber claims, human error is leading in claims. It’s one person making a minor mistake that has a broad impact,” she said.

Brokers and policyholders both face challenges when it comes to cyber insurance coverage. Mooney said that for brokers, the challenges for helping clients include the rapid evolution of coverage, the lack of a standard form, understanding the essential coverages, and understanding endorsements and enhancements. Policyholders are challenged by the complexities of coverage, the idea that cyber risk is hypothetical, lack of knowledge about cyber risk and figuring out essential coverage versus “nice to have” coverage.

Essential cyber insurance coverage has two components: first party and third party, Mooney said.

First party refers to the organization buying the coverage. That coverage relates to the organization’s direct costs incurred in getting back up and running after a cyber event. Third party is the organization’s clients or others whose data was at risk by a cyber attack.

First party coverage will include data breach and cyber incident costs, business interruption and extra expenses, network and data recovery or restoration, and cyber extortion. Third party coverage will include network and security information recovery, regulatory defense and penalties, and media liability.

What cyber threat triggers coverage?

The base coverage trigger in first-party coverage is the data breach or security failure that led to the cyber event, said Adam Smith, claims counsel at Coalition Inc. The main goal at this point is to find whose data was accessed so that legal notification letters can be sent to the affected parties.

Every cyber incident involves legal expenses, Smith said, and cyber insurance typically covers those legal expenses as well as incident response and forensics.

The costs of recovering from a cyber incident can escalate quickly, he noted. Legal expenses, incident response and forensics, and business interruption can pile up.

“The first priority is to get the insured back on their feet and where they were before the incident,” he said.

Smith said business owners frequently believe they don't need to worry about a cyber threat, “but no one is completely exempt from being a target.

“If hackers see a vulnerability, they’ll jump in there.”

Susan Rupe is managing editor for InsuranceNewsNet. She formerly served as communications director for an insurance agents' association and was an award-winning newspaper reporter and editor. Contact her at [email protected]. Follow her on Twitter @INNsusan.