Ransomware, Data Breaches Expose Gaps in Cyber Insurance Market

As U.S. companies grapple with cyber crime costs, indiscriminate ransomware attacks, and hundreds of millions of dollars in data breach fines, many seek protection in a normally predictable bet—insurance.

But some companies have discovered the hard way that policies can be filled with gaps and exclusions. Some don’t cover all regulatory fines and penalties. Others may cover ransom payments made to end certain attacks, but not all the long-term damage to systems caused by the attack. 

And in two ongoing court cases, insurers are contending that “war’’ exclusions allow them to not cover cyber attacks linked to Russian state actors. 

“It’s not like car insurance and house insurance and the flood industry,” Scott Shackelford, law professor and cybersecurity program chair at Indiana University Bloomington, said. “It’s too early for an industry standard.” 

Reports from insurance broker Marsh and the Council of Insurance Agents & Brokers indicate that at least one third of companies have adopted cyber liability policies in 2018, up from around a quarter in 2016. Cyber insurance can shield companies from millions in losses if a plan is purchased with attention to each aspect of coverage, insurance experts and brokers said. 

As cyber liability policies continue to develop, insurers globally see technology and cybersecurity as the first and second largest risks facing the industry in the next two to three years, according to a July report from the Centre for the Study of Financial Innovation and PriceWaterhouseCoopers. 

“Really the issue now is that making sure the policies they are buying is mapping up to the risks they face legally should the incidents occur,” Ryan Sulkin, a cybersecurity attorney and partner at Michael Best & Friedrich LLP, said. 

AXA US and and American International Group Inc. are among those leading the market in direct premiums written for pure cyber insurance, accounting for $488 million in premiums last year, according to a June report from credit-rating agency A.M. Best Co. Inc. The top policy writers for all types of cyber coverage are The Hartford Financial Services Group Inc., Liberty Mutual Group Inc. and Farmers Insurance Group. 

Cyber premium volume exceeded $2 billion for the first time in 2018, and the total number of cyber insurance claims surpassed 10 million last year, according to the report.

So far, it’s been a highly profitable business. While losses have risen, the ratio of claims payments and related costs was less than 25 percent in 2018, though those margins aren’t expected to last, according to Best. READ