We live in an era of disruption. Technology redefines our world on a regular basis, as the wonders of networks that allow data to be transferred virtually without restriction have enmeshed knowledge and commerce into our lives on an uninterrupted basis. The value of the digital environment that enables our modern existence continues to increase.
With value, comes risk. Just as the frontier settlers who improved their land for farming purposes erected flood protections, so too have businesses sought to protect their virtual terrain. Digital firewalls and anti-virus utilities are now ubiquitous. But like the farmers, firms are finding that strictly defensive measures are not sufficient to secure the value of their assets.
The average cost of a cyber breach is now $674,000, according to a recent study by NetDiligence. Allianz Global Corporate & Specialty pegs the figure at $3.8 million. High-profile data breaches at firms like Anthem and Target – the latter of which suffered $252 million in losses – have led many firms to consider alternative strategies for managing their risk. The principle means of doing so is through specially tailored insurance products – cyber insurance.
At the moment, there is no standard form cyber-insurance policy, but they share the common characteristic of covering Internet-based risks. Within that broad category, policies can provide coverage for a range of losses, from direct and expected harms, like first-party liability associated with lost or destroyed data, to further attenuated damages, like the reputational injury brought about by a breach.
While cyber-insurance policies have been around since the turn of the century, they only recently have begun to proliferate. A combination of a heightened sense of vulnerability and recently affirmed certainty that existing commercial general liability policies exclude cyber losses has seen the takeup rate at relevant firms rise all the way to 52 percent, according to insurance consultancy Advisen.
That growth is a positive trend. Quietly, there has been a brewing political movement to shift risk into public hands, onto the backs of taxpayers. Now $25 billion in the red, and with no hope of ever escaping that state, the National Flood Insurance Program should be a prime example of how not to handle erratic and expensive risks.
But three obstacles currently confront the cyber-insurance market and must be overcome to prevent a backslide: capacity, underwriting experience and regulatory interest.
The Federal Insurance Office, a U.S. Treasury Department advisory office established by the Dodd-Frank Consumer Protection Act, reported in September that there is a need for policies with $1 billion coverage limits. That’s double the current highest-limit cyber insurance policies. Among competitively priced products, limits tend to hover between $100 and $200 million.
It’s undoubtedly the case that higher-limit policies must become available to cover the largest cyber claims. Among the difficulties is the comparatively limited pool of actuarial experience with cyber losses, which leaves underwriters struggling to price the product. As time goes on, experience will grow, and firms will be able to price these new products with greater certainty. Until that time, we should expect heightened regulatory interest.
Insurance regulators are properly charged with monitoring insurer solvency, and it’s totally appropriate them to keep a close eye on the development of cyber coverages. But regulators’ instinct to direct market outcomes could have a hugely problematic influence on this new line of business. Right now, the space for creativity and even some limited room for product failures should be granted to insurers as they make their way into this new area.
The Internet may well be the world’s most valuable public resource; it’s the platform on which the economic well-being of billions rests. The next step in protecting that resource is encourage private innovators to develop the products needed to facilitate their next great idea.