Jump to content

Cyber insurance

From Wikipedia, the free encyclopedia
(Redirected from Computer insurance)

Cyber insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber-insurance policies may include first and third parties coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.

Advantages

[edit]

Because the cyber insurance market in many countries is relatively small compared to other insurance products, its overall impact on emerging cyber threats is difficult to quantify.[1] As the impact to people and businesses from cyber threats is also relatively broad when compared to the scope of protection provided by insurance products, insurance companies continue to develop their services.

As well as directly improving security, cyber insurance is beneficial in the event of a large-scale security breach. Insurance provides a smooth funding mechanism for recovery from major losses, helping businesses to return to normal and reducing the need for government assistance.[2][3]

As a side benefit, many cyber-insurance policies require entities attempting to procure cyber insurance policies to participate in an IT security audit before the insurance carrier will bind the policy. This will help companies determine their current vulnerabilities and allow the insurance carrier to gauge the risk they are taking on by offering the policy to the entity. By completing the IT security audit the entity procuring the policy will be required, in some cases, to make necessary improvements to their IT security vulnerabilities before the cyber-insurance policy can be procured. This will in-turn help reduce risk of cyber crime against the company procuring cyber insurance.[4]

Finally, insurance allows cyber-security risks to be distributed fairly, with the cost of premiums commensurate with the size of expected loss from such risks. This avoids potentially dangerous concentrations of risk while also preventing free-riding.

History

[edit]

According to Josephine Wolff’s research into the history of cyber insurance, its origins trace back to an April 1997 International Risk Insurance Management Society convention at which Steven Haase presented the launch of the first cyber insurance product, including first and third party coverages.[5][6][7] Haase first came up with the concept of cyber insurance a few years earlier and had discussed it with various industry colleagues at times, but this 1997 event marked a breakthrough moment when the first cyber insurance policy and underwriting platform were actually launched. The event resulted in the creation of the first policy designed to focus on the risks of internet commerce, which was the Internet Security Liability (ISL) policy, developed by Haase and underwritten by AIG.[8] Around this same time, in 1999, David Walsh founded CFC Underwriting in the United Kingdom, a company which treats cyber as one of its main focus areas.[9][10] Chris Cotterell founded Safeonline around the same time, which soon became another significant player in the cyber insurance space.[11][12] The early meeting between Haase and 20 industry colleagues in Hawaii is now commonly referred to as the “Breach on the Beach” and is considered a pivotal moment at which cyber insurance was first recognized and celebrated.[13][14]

After a significant malware incident in 2017, however, Reckitt Benckiser released information on how much the cyberattack would impact financial performance, leading some analysts to believe the trend is for companies to be more transparent with data from cyber incidents.[15] Purchases of cyber insurance has increased due to the rise in internet-based attacks, such as ransomware attacks. Government Accountability Office, "Insurance clients are opting in for cyber coverage—up from 26% in 2016 to 47% in 2020. At the same time, U.S. insurance entities saw the costs of cyberattacks nearly double between 2016 and 2019. As a result, insurance premiums also saw major increases."[16]

Current need

[edit]

A key area to manage risk is to establish what is an acceptable risk for each organization or what is 'reasonable security' for their specific working environment. Practicing 'duty of care' helps protect all interested parties - executives, regulators, judges, the public who can be affected by those risks. The Duty of Care Risk Analysis Standard (DoCRA)[17] provides practices and principles to help balance compliance, security, and business objectives when developing security controls.

Legislation

In 2022, Kentucky and Maryland enacted insurance data security legislation based upon the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law (MDL-668).[18] Maryland's SB 207[19] takes effect on October 1, 2023. Kentucky's House Bill 474[20] goes into effect on January 1, 2023.

Existing issues

[edit]

During 2005, a “second generation" of cyber-insurance literature emerged targeting risk management of current cyber-networks. The authors of such literature link the market failure with fundamental properties of information technology, specially correlated risk information asymmetries between insurers and insureds, and inter-dependencies.[21]

According to Josephine Wolff, cyber insurance has been "ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable."[22]

Ambiguities in terms

[edit]

FM Global in 2019 conducted a survey of CFOs at companies with over $1 billion in turnover. The survey found that 71% of CFOs believed that their insurance provider would cover "most or all" of the losses their company would suffer in a cyber security attack or crime. Nevertheless, many of those CFOs reported that they expected damages related with cyber attacks that are not covered by typical cyber attack policies. Specifically, 50% of the CFOs mentioned that they anticipated after a cyber attack a devaluation of their company's brand while more than 30% expected a decline in revenue.[23]

War exclusion clauses

[edit]

Like other insurance policies, cyber insurance typically includes a war exclusion clause - explicitly excluding damage from acts of war. While the majority of cyber insurance claims will relate to simple criminal behaviour, increasingly companies are likely to fall victim to cyberwarfare attacks by nation-states or terrorist organizations - whether specifically targeted or simply collateral damage. After the US and UK, governments characterized the NotPetya attack as a Russian military cyber-attack insurers are arguing that they do not cover such events.[24][25][26]

Insurance Linked Securities for Cyber Risk Management

[edit]

In a recent academic effort, researchers Pal, Madnick, and Siegel from the Sloan School of Management at the Massachusetts Institute of Technology were the first to analyze the economic feasibility of cyber-CAT bond markets. They applied economic theory and data science to propose conditions under which is it economically efficient to either have re-insurance markets transferring risk (without the existence of CAT bond markets), CAT bond markets transferring risk (in the presence of re-insurance markets), or self-insurance markets (in the absence of re-insurance and CAT bond markets) to cover residual cyber-risk.[27][28]

Pricing

[edit]

As of 2019, the average cost of cyber liability insurance in the United States was estimated to be $1,501 per year for $1 million in liability coverage, with a $10,000 deductible.[29] The average annual premium for a cyber liability limit of $500,000 with a $5,000 deductible was $1,146, and the average annual premium for a cyber liability limit of $250,000 with a $2,500 deductible was $739.[30] In addition to location, the main drivers of cost for cyber insurance include the type of business, the number of credit/debit card transactions performed, and the storage of sensitive personal information such as date of birth and Social Security numbers.

References

[edit]
  1. ^ Toregas, Costis. "Insurance for Cyber Attacks: The Issue of Setting Premiums in Context" (PDF). Archived (PDF) from the original on 2020-07-27.
  2. ^ Baban, Constance P.; Gruchmann, Yvonne; Paun, Christopher; Constanze Peters, Anna; Stuchtey, Tim H. (December 2017). “Cyber Insurance as a Contribution to IT Risk Management.” Brandenburg Institute for Society and Security gGmbH. Retrieved 27 January 2025.
  3. ^ "Cyber-Insurance Metrics and Impact on Cyber-Security" (PDF). ObamaWhiteHouse.gov. Retrieved 26 March 2025.
  4. ^ Tsohou, Aggeliki; Diamantopoulou, Vasiliki; Gritzalis, Stefanos; Lambrinoudakis, Costas (2023-06-01). "Cyber insurance: state of the art, trends and future directions". International Journal of Information Security. 22 (3): 737–748. doi:10.1007/s10207-023-00660-8. ISSN 1615-5270. PMC 9841933. PMID 36684688.
  5. ^ Wolff, Josephine (August 30, 2022). "A Brief History of Cyberinsurance". Slate. Retrieved September 29, 2024.
  6. ^ Williams, Carl (June 7, 2024). "How Steven Haase Pioneered Cyber Insurance and Shaped an Industry". Tech Times. Retrieved September 29, 2024.
  7. ^ Szczepanski, Kevin (March 2, 2022). "Barclay Damon Live Presents: The Cyber Sip Podcast, Episode 8: State of the Market – Cybersecurity Insurance, With Kelly Geary" (PDF). Barclay Damon. Retrieved September 29, 2024.
  8. ^ Wolff, Josephine (August 30, 2022). "A Brief History of Cyberinsurance". Slate. Retrieved September 29, 2024.
  9. ^ Gagan, Mark (January 18, 2022). "The Voice of Insurance Podcast, Episode 107: David Walsh and Graeme Newman of CFC Underwriting: Build Your Own". PodBean. Retrieved September 29, 2024.
  10. ^ Frost, Jen (November 29, 2023). "CFC CEOs Newman and Walsh to depart after Lloyd's investigation". Insurance Business Magazine. Retrieved September 29, 2024.
  11. ^ Bronson, Caitlin (April 23, 2015). "Five minutes with…Chris Cotterell, Safeonline LLP". Insurance Business Magazine. Retrieved September 29, 2024.
  12. ^ "SafeOnline". Business Insurance Magazine. Retrieved September 29, 2024.
  13. ^ Wolff, Josephine (2022). "Breach on the Beach: Origins of Cyberinsurance". Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks. MIT Press. pp. 27–62. doi:10.7551/mitpress/13665.003.0006. ISBN 978-0-262-37075-2.
  14. ^ Wolff, Josephine (August 30, 2022). "A Brief History of Cyberinsurance". Slate. Retrieved September 29, 2024.
  15. ^ Daneshkhu, Scheherazade. "Reckitt seeks to quantify havoc of malware attack". Financial Times. No. 7 July 2017. Retrieved 24 August 2017.
  16. ^ Office, U. S. Government Accountability (2023-09-27). "Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability | U.S. GAO". www.gao.gov. Retrieved 2024-01-30.
  17. ^ "Duty of Care Risk Analysis Standard". The DoCRA Council. Archived from the original on 2018-08-14.
  18. ^ NAIC. "INSURANCE DATA SECURITY MODEL LAW" (PDF). NAIC.
  19. ^ "Maryland Senate Bill 207". LegiScan.
  20. ^ "House Bill 474". Kentucky General Assembly.
  21. ^ Schwartz, Galina; Bohme, Rainer. "Modeling Cyber-Insurance". In Proceedings of WEIS, 2010.
  22. ^ Wolff, Josephine (2022). Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks. MIT Press. doi:10.7551/mitpress/13665.001.0001. ISBN 978-0-262-37075-2.
  23. ^ Global, F. M. (30 July 2019). "Cyber insurance may create false sense of security among senior financial executives at world's top companies, suggests FM Global survey". FM Global. Archived from the original on 2020-09-20.
  24. ^ Satariano, Adam (15 April 2019). "Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong". New York Times. Retrieved 25 April 2019.
  25. ^ Osborne, Charlie (11 January 2019). "NotPetya an 'act of war,' cyber insurance firm taken to task for refusing to pay out". ZDNet. Retrieved 25 April 2019.
  26. ^ Menapace, Michael (10 March 2019). "Losses From Malware May Not Be Covered Due To Your Policy's Hostile Acts Exclusion". The National Law Review. Retrieved 25 April 2019.
  27. ^ Pal, Ranjan; Madnick, Stuart; Nag, Bodhibrata (2023). "Catastrophe Bond Trading Can Boost Security Improving Cyber (Re-)Insurance Markets". AMCIS 2023 Proceedings.
  28. ^ Pal, Ranjan; Nag, Bodhibrata (2023). "A Mathematical Theory to Price Cyber-Cat Bonds Boosting IT/OT Security". WSC '23: Proceedings of the Winter Simulation Conference. pp. 648–659. ISBN 979-8-3503-6966-3.
  29. ^ Lerner, Matthew (September 19, 2019). "Average costs of cyber liability insurance studied". Business Insurance. Retrieved January 7, 2021.
  30. ^ Mak, Adrian (September 17, 2019). "Average Cost of Cyber Insurance". AdvisorSmith. Retrieved January 7, 2021.
Retrieved from "https://wiki.riteme.site/w/index.php?title=Cyber_insurance&oldid=1282489226"