August 01, 2017 | Sourcing Strategy
With cyber-attacks becoming the norm these days, even threatening to expand into a global epidemic, cyber-risk insurers across the globe are seeing organizations and end users scramble for protection from possible data and information security disasters. While reported global incidences of cyber security breaches have been steadily rising at a year-on-year rate of 30-40% since 2015, cyber insurance companies have struck gold. Per experts, the annual global cyber-insurance premium spend stands at $2-3 billion in 2017 and is poised to touch $14 billion by 2022.
Predatory ransomware attacks in early 2017, especially the ‘WannaCry’ attack, are estimated to have caused massive business outages costing nearly $4 billion to organizations globally, including companies like Maersk, Nissan, FedEx, Saint-Gobain, WPP, Mondelez, Rosneft, UK’s NHS, etc.
The business risks posed to such enterprises are many – regulatory penalties and fines, [customer] breach notification costs, plaintiff lawsuits, PR erosion, forensics investigations, network security and privacy liability, loss of customers, business loss due to operational interruption, customer data theft, financial theft, remediation/business recovery costs, attorney fees and much more. Last year alone, reported costs incurred by the global economy due to cyber-crime was over $450 billion, with over 2 billion personal records stolen and numerous instances of massive business interruptions cascading into a catastrophe of losses. Cyber-crime costs (including direct and indirect costs) are forecasted to leapfrog to $6 trillion by 2021.
To cover such unforeseen costs, organizations globally are now flocking to insurance firms for cyber-liability coverage. The global annual cyber-insurance spend stands at $2-3 billion in 2017 and is poised to touch $14 billion by 2022, given the increased vulnerability of existing global inter-networks – thanks to the advent of IoT-driven connected devices, artificial intelligence and machine learning.
Regulatory mandates by governments for disclosure of cyber breach-incidents, like the General Data Protection Regulation (GDPR) and Network and Information Security Directive (NISD) coming into full effect in EU in May 2018, are driving the message of importance for cyber-security and increasing the risk of cyber-liability among organizations. In the past, organizations carefully refrained from allowing any news related to possible customer data theft or cyber breach from trickling out to customers for fear of repercussions such as lawsuits or loss of brand value, but with these mandates in place, organizations must walk a tighter rope and an insurance cover seems unavoidable.
The US has had an SEC breach disclosure mandate in place for past 10 years, reflected in their higher adoption rate of cyber-insurance. Ninety percent of all global cyber-insurance policies last year were written in the United States, while organizations in Europe and Asia are traditional stragglers in adoption due to lack of a government mandate. However, this will soon end, with the GDPR and NISD regulations coming into effect.
Unlike car or home insurance, cyber-insurance policies are not a standard ‘one-size-fits-all’ product. Policy coverage and premium cost depends on a company’s industry, services, IT infrastructure, privacy policies and procedures, type of sensitive data collected/processed/stored, data risk and exposure, system architecture, enterprise solutions, total number of PII/PHI records, InfoSec policies, etc. A typical cyber-policy premium quote for a company in the healthcare industry with an insurance cover of $1 million and revenue of $25 million is $12,900, while that for a similarly-scaled company in the education sector is $6,000. In the financial industry, a company with revenue of $100 million and insurance cover of $1 million could have to pay premium as high as $37,000.
The US cyber-insurance supplier market is a highly consolidated one, having matured over past decade. The largest cyber-insurance suppliers in the US are AIG, XL and Chubb (together they claimed 40% of US market last year), followed by Travelers, Beazley, CNA, Liberty Mutual, BCS Insurance, AXIS Insurance and Allied World. The market share of the top 15 suppliers in the US is around 85%. Other cyber-insurance providers who control a chunk of the global market include Advisen, ABI, Allianz, Aon, Zurich Insurance, Allianz, and Hiscox.
As incidents of cyber-attacks continue, sourcing managers can no longer defer the need for a holistic cyber-insurance policy for their organization. Demand for such policies are increasing, and the prices of premiums are likewise expected to soar. However, with the new market trend of tech firms like Apple-Cisco coming together to negotiate premium discounts for their customers, sourcing mangers have a silver lining. They can look at sourcing options from suppliers of IT products and services who can offer complimentary discounts in insurance premiums, or even a guarantee against cyber-breaches. Either way, cyber-insurance policies are finding many new buyers and becoming an invaluable part of every organization’s insurance portfolio.