Cyber insurance market grows in US

US insurers are becoming more skilled at underwriting and pricing standalone cyber insurance policies as businesses show a greater interest in protecting themselves from data breaches and attacks, according to the Insurance Information Institute (III).

"More than 60 carriers offer standalone cyber insurance policies, and it is estimated the US market is worth over $3.25 billion in gross written premiums in 2016, with some estimates saying it has the potential to grow to $7.5 billion," wrote Dr. Robert Hartwig, special consultant to the III, and Claire Wilkinson, author of the Ill's award-winning Terms + Conditions blog. They are the co-authors of the Ill's newly released white paper, Cyber Risk: Threat and Opportunity.

Cyber incidents were ranked as the third-highest global business risk in 2016, Allianz's Risk Barometer determined. The average cost of a breach in the United States reached $7 million in 2016, a Ponemon Institute survey cited in the Ill's report found. According to III, most traditional commercial general liability policies do not cover cyberrisks.

Tailored to a business' specific needs, a standalone cyber insurance policy typically offers the following coverages, the Ill's white paper explains:

Liability - Covers the costs (e.g., legal fees, court judgements) incurred after a cyberattack, such as data theft, or the unintentional transmission of a computer virus to another party, causing them financial harm.

Crisis Management - Covers the cost of notifying consumers about a data breach that resulted in the release of private information, and providing them with credit monitoring services, as well as the cost of retaining a public relations firm or launching an advertising campaign to rebuild a company's reputation.

Directors & Officers (D&O) / Management Liability - Covers the cyber liability risks faced individually by a company's key decision-makers while acting on behalf of the company.

Business Interruption - Covers loss of income due to an attack on a company's network that limits its ability to conduct business.

Cyber Extortion - Covers the "settlement" of an extortion threat against a company's network, as well as the cost of hiring a security firm to track down the blackmailers.

Loss / Corruption Of Data - Covers damage to, or destruction of, valuable information assets as a result of "viruses, malicious code, and Trojan horses," the white paper states.

Criminal Rewards - Covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of a criminal who has attacked a company's computer systems.

Data Breach - Covers the expenses and legal liability resulting from a data breach.

Identity Theft - Provides access to an identity theft call center in the event of stolen customer or employee personal information.

Cyberrisks, however, remain challenging for insurers to underwrite, Hartwig and Wilkinson acknowledge. The three reasons the paper cites include the constantly changing range of perpetrators, targets, and exposure values; a lack of historical actuarial data; and the interconnected nature of cyberspace, which makes it difficult for insurers to assess the likely severity of cyberattacks.