Cyber insurance is growing rapidly: a report last year by consultant PwC suggested the global market for the cover could reach $5bn a year in premiums by 2018 and $7.5bn by the end of the decade.
Not everyone think that’s necessarily a good thing, though. Cyber risks are poorly understood by insurers and could pose a threat to their business, according to Michel Liès, the outgoing chief executive of major reinsurance group Swiss Re. With a short history of claims to work from, inconsistently recorded data and rapidly changing threats, there are real difficulties for insurers in evaluating and pricing the risks.
“It is too early for me to make a statement on whether cyber is an opportunity, a threat – or in the middle,” he told the Financial Times.
Liès has previously been among those suggesting the difficulties mean at least some cyber risks are better being insured ultimately by the government. The Pool Re scheme that underpins terrorism cover in the UK could be extended to cover big cyber attacks, they argue.
No quick fix
In truth, though, the growth of the cyber insurance market reflects the fact that it does have a role. First, it can provide cover for the costs when problems arise. In the US, uptake of the cover has been driven in large part by the costs associated with regulations forcing companies to notify customers when breaches of their data occur. In the EU, the advent of the General Data Protection Regulation is expected to have a similar effect.
Moreover, many of the covers provide access to consultants and experts, which can be invaluable in improving responses when a data breach or attack occurs, particularly if in-house expertise is lacking.
Nevertheless, it remains better to have consulted adequately and built resilience before an incident, rather than relying on an insurer to pick up the pieces.
Partly that’s because the cover provided by policies varies widely. Cyber insurance remains a young market and there’s still a way to go before policies are standardised. Buyers are frequently cautioned to be careful to check exactly what their policy covers, and be aware that cover for some risks may be difficult to obtain. Related to this, many insurers are – in Liès’ words – “massively selective” about what and whom they will cover.
PwC picked up on both these points: “Given the high costs of coverage, the limits imposed, the tight terms and conditions and the restrictions on whether policyholders can claim, many policyholders are questioning whether their policies are delivering real value.”
All this is not to say insurance is not a good idea; it’s just no panacea. Thinking seriously and putting the work in before an incident should enable companies to get a better deal from their insurers in any case. It will also mean they are better placed to limit the damage if an incidence does occur – whether or not their insurance responds.
More fundamentally, it will mean they are less likely to fall victim to successful attacks in the first place.