In the aftermath of the Equifax data breach last year that exposed personal information of more than 145 million people, analysis firm Property Claim Services estimated that cyberinsurance would cover roughly $125 million of Equifax’s losses from the incident. It’s uncertain whether Equifax will actually receive that much money; insurance claims can take a long time to investigate, process, and pay out. But it was a reminder of the increasingly important role insurance plays in cybersecurity—and the challenges of getting it right.

In 2016, the cyberinsurance market brought in around $3.5 billion in premiums globally, of which $3 billion came from US-based companies, according to the Organisation for Economic Co-operation and Development. That’s not an enormous amount of money compared to other insurance markets; motor vehicle insurance premiums in the US, for instance, total more than $200 billion annually. But cyberinsurance premiums have grown steadily at a rate of roughly 30 percent every year for the past five years, in an industry unaccustomed to such spikes.

'The worst data is probably in cyberinsurance.' Nick Economidis, Beazley PLC

With the European Union General Data Protection Regulation poised to go into effect May 25, and firms of every size in every sector concerned about emerging online threats, insurance carriers see ample opportunity. But as the cyberinsurance market grows and those carriers take on responsibility for more computer-based risks, it becomes increasingly important that they model that risk and predict its outcomes accurately, a notoriously difficult task in the evolving and unpredictable domain of online threats.

Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years’ worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk.

“Typically in insurance we use the past as prediction for the future, and in cyber that’s very difficult to do because no two incidents are alike,” said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors.

Diversification

The constantly changing threat landscape isn’t the only challenge cyber underwriters face. Since many companies don’t have cyberinsurance, lots of incidents go unreported every year, making it more difficult to reliably estimate the frequency or costs of such events.

“If you’re writing policies for personal automobile or personal homeowners insurance you definitely have a lot of really good data. The worst data is probably in cyberinsurance,” said Nick Economidis, a cyber liability underwriter at Beazley PLC.

In other areas of insurance, such as earthquake or flood coverage, carriers also make sure to diversify their customers, for instance by spreading them out across different geographic locations in order to avoid being overwhelmed by simultaneous claims. The cyberinsurance industry has attempted to diversify by adding clients of various sizes in different industries. But last summer’s NotPetya ransomware attack did not discriminate based on sector or company size, causing well over a billion dollars in total damage across shipping, pharmaceuticals, and more. So now, carriers try to diversify among cloud providers, web hosts, software dependencies, and operating systems, Bailey said.

That, too, could prove challenging. While vulnerabilities like Heartbleed and ransomware like WannaCry—along with the recent Spectre and Meltdown flaws in Intel chips—don't appear to have resulted in large cyberinsurance payouts, they show just how pervasive cybersecurity issues can be, and the inherent risk of simultaneous claims from many of a carrier’s customers.

Teaming Up

As they struggle to assemble a diverse risk portfolio, many carriers have also partnered with security firms to provide their customers with a more standardized and, they hope, more resilient set of technologies to protect their digital assets. Allianz recently announced a partnership with Aon, Apple, and Cisco, through which customers could receive “enhanced” cyberinsurance policies from Allianz—including lower deductibles and coverage for hardware replacement costs—if they also use the assessment tools, security technologies, and breach response services provided by the three other partners. It's a similar dynamic to a health insurance company offering discounts for in-network providers.