Cyber business to quadruple within four years

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.ibamag.com/news/cyber-business-to-quadruple-within-four-years-26378.aspx

Anyone who's ever worked in cyber security (or what used to be called IT
security) will know the old adage that a security breach is never
impossible, only improbable. It is this fundamental truth that has caused
companies to go running for cover in recent years, especially in the wake
of high-profile breaches affecting names like Target, Home Depot and Ashley
Madison.

For the insurance industry, cyber looks like the next gold rush. Robert
Gordon, senior VP, policy development & research at the Property Casualty
Insurers Association of America (PCI), said cyber risk is the top issue the
association's members are facing.

“The market is innovating so rapidly in this area and it's a great
opportunity for insurers to bring a wealth … of protection when a loss
happens, [and to encourage] companies to have the right sorts of standards
to protect themselves and to mitigate losses,” he said at the annual PCIAA
conference in Florida last week.

The numbers are certainly attractive, especially in the US, which is the
most developed market for cyber insurance. Gerry Skalka, SVP, casualty
underwriting at Munich Re, said that the current estimate of the size of
premiums in the sector is about US$2.75 billion, of which about 90% is in
the US. In terms of growth, the industry also estimates that anywhere from
US$7.5 billion to US$10 billion is a “reasonable premium” for 2020-2021.

This is backed up by evidence of maturity in the still nascent sector.
“Cyber is changing from a risk that people try to prevent to a risk that
people try to manage,” said Ben Walter, CEO of Hiscox. “A cyber breach is
not something that you can absolutely 100% prevent and that means it's a
risk, so you need to manage it if and when it does happen,” he said.

According to Walter, this acceptance of the risk is a key factor in why the
industry is seeing such uptake of products. “If you could prevent it, you
might not insure against it,” he said.

But the sector is not without its growing pains. PCI's Gordon said that
while cyber is one of the fastest growing areas of insurance, “It's a very
difficult line to model and price and it’s very akin to terrorism risk,
where there is a lot of independently correlating events and not a lot of
loss data.”

Cyber insurance is considered high risk, and the premiums are going up to
reflect that. After staying relatively unchanged in 2014, rates for
retailers have increased 32% in the first half of 2015, according to data
from Marsh, prompting Tom Reagan, an executive at Marsh, to comment: "Some
companies are struggling to find the money to buy the coverage they want.”

There is also a trend for US insurers in some cases to raise deductibles or
limit coverage to US$100 million or more, which has left many large
companies exposed, since hacks could lead to losses more than twice that
amount. A chilling effect of this scenario is that smaller insurers are
refraining from entering the market at all, decreasing competition.

But in an unusual turn of events, regulation could turn into the insurance
industry's saving grace.

“Total global losses from cyber crime stood at US$445 billion as of June
2014. With governments becoming increasingly involved in cyber threats, the
prospect of compulsory cyber risk insurance could become a reality,” said
Jay Patel, an insurance analyst at researcher Timetric. This would
transform the market and could create a strong source of future revenues
for non-life insurers.

It's a point not missed by PCI's Robert Gordon. “There's interest at every
level. The National Association of Insurance Commissioners (NAIC) is
working on cyber model legislation and even internationally they're trying
to work on potential cyber standards,” he said.

Furthermore there's growing concern about cyber risk in non-cyber insurance
lines. “What's the possible impact on your auto insurance following a cyber
attack on a large fleet of cars?” he asked.

What's likely is that insurers will start readjusting their models for
cyber risk, just like they did with terrorism after 9-11 to better reflect
those risks, Gordon said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!