“A Turning Point for Cyber Insurance”
Communications of the ACM, March 2023, Vol. 66 No. 3, Pages 41-44
By Daniel W. Woods
“Going forward cyber-insurance providers will thrive by succeeding in: rewarding security; generating knowledge; and punishing insecurity. ”
Insuring against the consequences of cybersecurity seems too good to be true given the underlying problem has perplexed researchers and practitioners for going on 50 years. Since the 2000s, firms could purchase a cyber-insurance policy with coverage items including data breach litigation, crisis management services, data restoration and, controversially, ransom payments. The National Association of Insurance Commissioners (NAIC) estimated the number of policies in the U.S. grew from 2.1 million in 2016 to 4 million in 2020 with policyholders paying $2.75 billion in premiums.
Recent years have seen cyber insurers struggle. The NAIC reports a 400% increase in ransomware incidents and that three of the top four cyber insurers had unprofitable loss ratios—claims paid out as a percentage of premiums collected. The industry is responding by reducing coverage limits and hiking premiums, with increases of more than 100% year-on-year by the end of 2021.
As a computer scientist, it is easy to interpret such reports as the death of an industry. Finance professionals waded into a technical problem they did not understand and got burned by the reality of cybersecurity, therefore it was inevitable that insurers would either stop offering coverage or invoke exclusions to avoid paying out on any claims. This story has elements of truth, but also be-lies a folkish and naive understanding of insurance markets. I argue the industry’s pain is evidence of the fundamental value of insurance—it pays out when policyholders suffer harm—and that, over time, this dynamic will push the ignorant cyber insurers out of the market. This creates space for technology-focused professionals and solutions.
About the Author:
Daniel W. Woods is a a Lecturer in Cybersecurity at the University of Edinburgh, Edinburgh, U.K. His position is jointly appointed by the British University in Dubai.