Despite increasing risks, cyber insurance remains largely disregarded by those who need it most

The insurance industry has faced several major inflection points and has evolved alongside economic and societal shifts to enable the adoption of new technology.

An example of one such shift was the Industrial Revolution of the eighteenth century, which introduced complex machines and advanced productivity. These advancements eliminated mankind’s reliance on producing goods by hand, but also introduced new risks and hazards. One of these risks was the destruction of these costly machines by fire, a frequent peril in homes built primarily out of timber and thatch. The advent of affordable fire insurance was a turning point which gave many mercantile entrepreneurs the incentive to finance new infrastructure, which was crucial to the industrial development at large scale.

Several hundred years later, the computer network revolution, or Digital Revolution, began to unfold. With advancements like cloud computing, the sharing economy, mobility and social media, technology has propelled human progress forward like never before. However, with the pervasiveness of computers being used at home and in the office, running our enterprise data centers and managing our lives, comes a significant exposure to cyber attacks and computer malfunctions. These attacks can have devastating consequences for those who depend on these computers.

Just as the Industrial revolution relied on interwoven financial schemes to sustain and nurture the revolution forward, including project financing, insurance and other instruments, the digital revolution has been sustained in part by financing, security controls, and cyber insurance. In essence, by indemnifying policy holders from significant losses associated with cyber events, insurance provides an institutional incentive to utilize new technologies and bear some of the risk that results from digitization.

Tilli Kalisky-Bannett

Cyber insurance was first introduced in the late 1990s, in parallel to introduction of state regulation related to breach notification. Up until then, the consumer bore the consequence of a data breach. Once regulation was enacted, the risk was transferred to the enterprise. The enterprise then looked to insurance to transfer the risk onwards. Insurance was, and still is, a cost effective risk-transfer scheme for breaches.

Today, cyber insurance is a $2b-$3b market in gross written premiums (GWP), according to industry analysts. Cyber insurance covers costs associated with losses resulting from a cyber event, and not just a breach, including damage to technology and digital assets, business interruption and additional liabilities. High-profile and frequent cyber events such as the Dyn attack, WannaCry, NotPetya and Yahoo! breach have created more awareness for cyber insurance and its benefits. Today, there are approximately 70+ markets which offer cyber insurance. Most offer both first-party costs and liability losses such as the following:

• Data breach: Coverage for costs associated with a data breach, including notification costs, credit and fraud monitoring, technical response costs, public relations expenses, legal services, PCI fines;

• Cyber attack: Coverage for cyber attacks which cause damage or losses to either the insured or third-parties, such as the need for data restoration, technical response and public relations costs;

• Business Interruption (BI): Coverage for losses of revenues as a result of a system disruption caused by a cyber attack;

• Extortion: Coverage for costs resulting from an extortion event related to a cyber attack;

• Financial fraud: Coverage for costs resulting from misguided wiring or transfer of money or securities due to a cyber event;

• Media liability: Coverage for claims from third-parties resulting from a cyber event which results in advertising injury, such as infringement of IP, copyright/trademark infringement and libel/slander publishing sensitive information;

• Data Privacy liability: Coverage for claims from third parties resulting from damage due to a data breach;

• Network security liability: Coverage for claims from third parties resulting from a compromise in your network security as a result of a cyber event.

The types of companies that would benefit from cyber insurance include:

• Those which collect payment information for retail sales (brick-and-mortar shops, hospitality sector, online commerce entities);

• Those which hold personal information or intellectual property for customers, employees or other beneficiaries (education, professional services);

• Healthcare companies which hold healthcare records (hospitals, clinics, healthcare IT, medical device companies);

• Companies which rely on technology for productivity and/or operations (manufacturers, tech companies).

Even though the relevance of cyber insurance is far-reaching, penetration for cyber insurance is still rather low. According to Advisen, penetration at the enterprise level is below 30%, mid-market is less than 20% and SMB is less than 10%.

The reasons for low penetration are varied: in some cases, customers are still unaware of the extent of their cyber risk as well as the exposure they face if they were breached or attacked. In other cases, customers do not understand what is being covered and if there is an ROI to purchasing cyber-insurance. Finally, other insurance products (CGL, Property) may carve out small coverage for cyber events and customers may feel that is sufficient.

As technology becomes more pervasive to how we live and work, there is a growing toll in not purchasing cyber insurance. Any industry that makes use of networked computers for advanced productivity and digital processes is at risk. Having insurance minimizes those risks. And this is the exciting opportunity available to the insurance industry.

While none of us was alive in the industrial revolution, we are fortunate to witness the digital revolution and, as insurance professionals, have the privilege to support and galvanize it.

Tilli Kalisky-Bannett is a founder at CyberJack, a cyber insurance start-up based in Mountain View, Calif. She spent the majority of her career as a partner with 83North, a top-tier Silicon Valley technology-focused venture capital firm.While at 83North, Tilli led and managed investment processes for multiple portfolio companies and held Board directorships and Board observer roles across multiple companies. She received her MBA from MIT, where she graduated with Honors. In 2013 Tilli was voted top 40 under 40 in national business newspaper, The Marker.