What are the prospects of the cyber insurance market? Will it turn into a true panacea for potential victims of cybercrimes or not? To try to answer these questions, let's first have a look at some key stats:
The global market for cybersecurity insurance was USD 7.60 billion in 2021 and is expected to grow to USD 20.43 billion by 2027.
Over the past 3 years, cyber insurance claims have increased by 100% and payouts a 200%, with the peak claims being 8,100 in 2021.
99% of all cybersecurity insurance claims came from SME companies (annual revenue under $2 billion).
A small to medium enterprise's average cybersecurity insurance claim cost is $345,000.
Judging by these trends, there should be no worries about the future of cybersecurity insurance… or should be?
Mario Greco, the Zurich CEO, shares a not-so-optimistic point of view. At the end of 2022, he stated in an interview with Financial Times that cyberattacks will become uninsurable.
What will become uninsurable is going to be cyber," Greco said, "What if someone takes control of vital parts of our infrastructure? The consequences of that? There must be a perception that this is not just data . . . this is about civilization. These people can severely disrupt our lives.
That's an alarming forecast, but some recent developments show that the market might be moving in that direction. Growing cyber losses have made underwriters limit their exposure; some insurers raised prices and tweaked policies to limit their potential payouts.
Zurich's CEO knows what he is talking about. The company recently settled a 100 million lawsuit brought by Mondelez International for refusing to pay out on cyber claims. They were related to the 2017 NotPetya attack when Mondelez had 24,000 laptops and 1,700 servers down.
Zurich claimed it was an act of war exemption, an attack by one state against another, so it was collateral damage. Mondelez claimed otherwise. The settlement details are not public, but many believe the court was beginning to weigh in favor of Mondelez.
Whatever the settlement was, it had not set a precedent, and the major problem with such attacks persisted: a confident identification of who or what stands behind a cyber-attack. So, clarity has yet to be added for insurers or businesses, but insurers will definitely continue to reduce their exposure.
But will they be able to retain and grow the market by doing so? We are still waiting to see this, as increasing prices and exceptions might easily take the insurers over the line where businesses stop buying cyber insurance.
This situation can be amended if the governments join the process of underwriting the losses from cyber attacks, similar to how it happens in some jurisdictions for earthquakes or terror attacks.
The potential impact of major cyber attacks makes such a move look justified, but so far, the cyber risks part of the landscape is developing faster. And we are still to see whether insurers and governments can keep up.
Cyber insurance, while viable, does not look like the best option. An up-to-date and reliable cybersecurity program for your business will likely remain the best option. It might be complicated to build, but it is realistic. Even if you are unlikely to reduce the possibility of a breach to zero, a business can minimize its consequences for clients and for itself.