The cyber insurance policy is the hottest insurance product in the market, but it is untested for wide-range, catastrophic cyber events, and many risk managers and security experts warn the days of low premiums and cover-everything policies are numbered. Some researchers warn a catastrophic cyber event triggering thousands of policy holders to file claims simultaneously could lead to insurers going bankrupt, like in 1992 after Hurricane Andrew, or require a federal bailout like in 2008.
But for now, insurers are raking in piles of money with cyber security policies. Premiums for cyber policies brought in a total of $1.35 billion last year and total premiums could surpass $10 billion by 2020, says Stroz Friedberg, a risk management company. The industry grew by 35 percent last year alone and forecasts predict a 733 percent growth in cyber premiums over the next 10 years. With that kind of growth, companies like AIG, Travelers, Chubb, and XL Group have rushed in and premiums are competitive. These four insurers lead in market share, with around 45 percent of the cyber policy market, says Fitch Ratings.
But many in the computer security industry warn that all the excitement in the insurance space is not taking into account how much risk insurers have assumed and will be responsible for after a catastrophic cyber event. Mike Viscuso, a former hacker for the National Security Agency turned security entrepreneur, says cyber insurance policies are "dramatically underpriced" considering how much a typical policy promises to cover. He says the world has never seen a cataclysmic cyber breach, so there is no way to assess risk accurately.
"We are in the early innings of cyber insurance and we haven't seen what a wave of payouts will look like for the industry," says Viscuso. "If the insurance industry collapses, it's going to be because of cyber insurance."
Cyber policies range in coverage, depending on the type of company and type of data the company handles. (Banks and health care companies require expensive policies because these businesses gather and store sensitive personal information.) Basic policies cover incident response, public relations, legal fees, digital forensics (to find the source of the hack), customer notification, and crisis communication. More expensive policies will cover business interruption, loss of life, physical damage, and other extreme scenarios. Most policies do not cover terrorism-related breaches, human error, or fraud (including business email compromise). All policies require insured companies to follow minimum security requirements in order to be eligible for payouts.
Heidi Shey, a senior analyst at Forrester who studies the cyber insurance space, says insurers are in an excited "land-grab" state, gobbling up as many customers as they can because insurers believe most businesses will not file a claim, or there could be a cyber event that doesn't get covered due to an exemption, such as human error, credit card fraud, or email fraud. But Shey says the industry could be in trouble if a serious cyber event hits hundreds of insured companies.
A rash of companies have sued insurance providers, to no avail, after misinterpreting cyber insurance policies that didn't cover certain costs associated with a breach. P.F. Chang's, a Chinese restaurant chain, was hacked in 2014 and filed a claim on its cyber policy. The restaurant received $1.7 million for damages related to the hack, like digital forensic investigations, legal fees to defend against lawsuits, and other costs. But Chubb, its insurer, denied covering an additional $2 million in credit card fees after hackers posted 60,000 credit card numbers belonging to Chang's customers online. Chang's sued its insurance company, but lost. The judge decided Chang's policy did not cover fees to MasterCard, Chang's debit and credit card processor, because Chang's signed a contract with MasterCard to be liable for those fees in an event of a breach.
In other court cases, insurers fought to avoid paying cyber claims. In 2013, hackers swiped 32,500 medical records from Cottage Health, a hospital network operator. Its insurer sued to rescind its policy and deny coverage, citing Cottage Health didn't meet the minimum cyber security practices outlined in its cyber policy. Shey says there's a lot of uncertainty because cyber policies are new and customers don't understand exemptions and insurers are not accurately quantifying a company's cyber security risk. Exemptions and payout caps can save an insurer from paying more than it can, Shey says, but a catastrophic event with hundreds of clients filing claims at the same time is worrisome.
"The type of coverage insurers are promising, and what they might need to pay out is a huge concern," says Shey.
The insurance industry now uses sophisticated catastrophe modeling for risk assessment when it comes to flooding, hurricanes, and other natural disasters, but that wasn't the case until 11 insurance companies went bankrupt after Hurricane Andrew in 1992. (Hurricane Andrew crushed Florida, leaving $15.5 billion in damages, which exceeded the total of all insurance premiums ever collected in Dade County up until the storm, according to The New York Times.)
But that long history of data on past catastrophes does not exist in the cyber insurance policy world, says Stephen Boyer, the CTO and co-founder of risk-rating company BitSight, a company that assesses company risk for cyber policies written by AIG, Travelers, and others. The data is mostly on single target attacks, like Sony and Target.
"Many insurers are worried about underpricing (of policies)," says Boyer. He is not sure the insurance industry could withstand "a Hurricane Andrew-size data breach." Right now, most insurance companies are writing policies without the means to accurately assess a company's risk because historical data and historical precedent is nonexistent, says Boyer. BitSight is only working with seven out of the 10 largest insurers, but the majority of insurers that write cyber policies still assess a customer's risk by asking customers to fill out questionnaires about what types of data a company handles and its security protocols. Boyer says there are only 70 insurers in total that currently write cyber insurance and many bundle it with other types of coverage to keep customers.
"Thinking about what happened in the Ukraine, when the power grid went down, imagine that happening in New York City," says Boyer. "You're talking about billions of dollars in claims for damage, business interruption, loss of life. These scenarios are business-ending if your whole book of clients is in the northeast."
A report by Lloyd's and the University of Cambridge, which studied the insurance implications of a cyber attack on the U.S. power grid, paints a financial, economic and public health nightmare. The report estimates that if hackers took control of the power grid from New York City to Washington, D.C., the damage could total $20 billion to $70 billion and cost the economy from $243 billion to $1 trillion. Tens of thousands of insured businesses could be affected and 93 million people across 15 states could be without electricity. The report concluded there was no way the insurance companies could survive; payouts would exceed insurance companies' ability to pay.
According to a broker, who preferred not to be named, Target had one of the largest policies in the industry at $100 million. (Target spent that after its data breach, paying for incident response, legal fees, and customer notification.) A typical midsize, regional company that is not a healthcare company or a bank will pay $25,000 a year for a $20 million cyber policy. Premiums increase if a company handles sensitive information.
Viscuso, who founded cyber incident response company Carbon Black in 2011, which was acquired by Bit9, says cyber breaches are unlike damage from a hurricane. With a hurricane, you can typically see all the damage after it hits, but a breach might not be obvious for most companies.
"A breach could be happening for a year or more, everyday," says Viscuso. Hackers could be doing a lot of damage before a company notices and files a claim, which is why he thinks the industry doesn't know what a cyber disaster could do it.
Raymond Farmer, the director of the Department of Insurance of South Carolina and the chair of the cyber insurance working group for the National Association of Insurance Commissioners, says the insurance industry is at risk, but he contends the industry isn't going anywhere.
"Would a big cyber event take down companies? Yes, any large catastrophic cyber event or natural disaster would be problematic to the industry," says Farmer. But he says the industry could avoid a repeat of the bankruptcies and government bailouts of the past because insurers undergo regular reviews to ensure the firms are solvent and can pay customer claims. Farmer also says that "doomsday scenarios" can be handled with reinsurance and guaranteed funds that make sure policyholders get paid after a catastrophic event.
"Businesses will always need to transfer risk," says Farmer, "and insurers are more sophisticated today and we are handling risk properly."