Cyber security is a rapidly growing area of concern for executives across the world. The costs that can arise from a cyber breach can be catastrophic to a business. As a result, the cyber insurance market has ballooned over the past 10 years, as organizations are now recognizing that they are living in a “when” not an “if” scenario for facing a cyber or data breach.
According to a Net Diligence Study in 2014, the average cyber insurance claim payout was $733,109. This includes costs for crisis communication and legal expenses, in addition to the corrective and restorative measures. Beyond the technical challenges, the reputational risk exposure can be irrecoverable.
From cyber hacks at large retailers, to hacking information of government databases, the need for protection is clear. We know that cyber risk is not slowing down or going away any time soon, but as a risk management professional in the insurance industry, it is hard not to observe that we seem to be on the verge of a “cyber bubble.”
Since the first cyber insurance policy was placed in 1997, the market has rapidly evolved; however, it is still in its infancy. Coupled with a rate of cyber attacks much greater than could have been anticipated, insurers have certainly mispriced the risk in failing to account for the level of losses they will be forced to pay out in the coming years.
In insurance and risk management, generally actuarial teams price risks based on past loss data and historical performance. As a new class of risk emerges, the lack of backward looking data makes pricing these risks difficult. Additionally, even the so-called experts in the industry are not able to fully understand how to prevent cyber breaches.
As the need for cyber insurance grows, more organizations are purchasing policies, where capital injections to the cyber insurance industry are outpacing losses being paid out.