One of the main reasons to buy insurance is to prevent the cost of an accident or other disaster from breaking the bank. But what if simply buying insurance threatens to break the bank?
That scenario is starting to worry some organizations, for several reasons.
First is the simple but powerful market force of supply and demand. More and more organizations, spooked by regular stories of catastrophic breaches – such as the compromise of more than 1.5 billion Yahoo! accounts, which took down its acquisition value by a reported $350 million – are seeking insurance. And when demand rises, the price tends to do so as well.
Another factor is that cyber insurance is still a relatively new field – it was very much a niche business until less than a decade ago. So it lacks a lengthy and comprehensive history of risk and loss, in comparison to things like vehicles and housing, which have yielded generations of data to provide what insurers call “actuarial credibility.”
Cyber insurers are still figuring out their risk exposure. And as a number of experts point out, with threats expanding and changing rapidly, so are the risks.
“Cyber is a peril that is changing faster than insurers can collect experience data,” said Andrew Coburn, senior vice president of RMS. “Take the new loss process around ‘cyber-physical’ attacks, which can cause property damage, such as building fires.”
He and others also note that the explosive growth of the Internet of Things (IoT) – with estimates of 20 billion or more connected devices in use within three years – is a part of that changing peril, making for a rapidly expanding risk landscape that has yet to be measured.
There is also the reality that cyber attacks many times involve multiple targets.
“The major threat to the insurability of cyber is that a systemic attack, such as a cyber attack on the power grid, could cause a catastrophic loss, with many insureds hit by the same event,” Coburn said.
With that kind of uncertainty, erring on the side of caution tends to lead to higher prices, more exclusions that limit coverage – or both.
“Cyber insurance is a nascent industry,” said Robin Gottschalk, insurance producer on Insureon's technology desk. “So, while complex models are forecasting costs, realized costs can be much different. They can vary widely because there are more incidents than insurance companies are forecasting or because the incidents are more expensive than anticipated.”
Steve Durbin, managing director at the Information Security Forum, called risk measurement, “hugely complex,” and said many insurers are still struggling with cyber risks because of a lack of “significant data and trend analysis.”