The market for cyber services is growing. In the last year, data breaches and cyber attacks have increased significantly, so the share of cyber insurance is expected to continue to rise in the coming years.
Cyber insurance has been growing as companies have seen the need for protection against attacks involving financial losses, security breaches or cyber attacks. The market is expected to reach $20.4 billion by 2025, with an annual growth rate of 21.2%.
Although cyber insurance is at an early stage, it is one of the fastest growing segments in the industry, as attacks represent a broad risk as new technologies emerge. Data breaches take place on a daily basis, and these insurances have advanced tools to help policyholders protect their businesses from the consequences of cyber threats.
Currently, there is no exact definition of what cyber insurance includes and coverage will vary by industry, type of business and individual business needs. The lack of claims in this segment causes these disparate coverages to exist and makes it difficult to assess risks and create predictive models around threats.
These insurances are designed to mitigate losses from various cyber incidents, including data breaches and the damage they cause to businesses. The existence of a consistent insurance market will help reduce the number of attacks. The existence of such a service promotes the adoption of preventive measures in exchange for increased coverage and encourages the implementation of best practices by basing premiums on the insured’s level of self-protection.
Because general property insurance does not include cyber risks in its terms and conditions, cyber insurance has emerged as a separate line of coverage. The coverage they cover is broad and encompasses a range of losses from cyber incidents, including costs arising from data destruction and theft, hacking, denial of service attacks, crisis management activities related to data breaches, defamation, fraud, and privacy violations. However, few cyber security policies provide coverage for physical damage that could result from a successful cyber attack on critical infrastructure.
Policyholders need to assess their cyber postures realistically because insurers require greater transparency and detail regarding potential losses and increasing threats. This is of mutual benefit where insurers have a more receptive environment to consult with policyholders to help them identify potential protection gaps and, as a result, policyholders can improve their risks by protecting against such gaps.
Insurers and customers seek to mitigate any potential cyber-attacks through cybersecurity governance and investment in controls. If this were not the case, insurers would suffer great losses, reducing their responsiveness and availability. Insurance is thus seen as a necessity as a method of risk transfer for cyber security. Stability for insurers is essential for policyholders to be able to offer risk transfer in the future.
Ransomware attacks, data breaches and fraudulent activities such as email compromise have been at the top of the list of cyber attacks. The global economic costs of such crimes are estimated to grow by 15% per year over the next few years, reaching $10.5 billion per year by 2025 . These values are not surprising considering that the world of attacks is advancing at a very fast pace, e.g. cybercriminals are leveraging automation and AI to better exploit weaknesses as quickly as possible.
The pandemic has seen strong growth in this segment as vaccine-related companies, research institutes and government agencies were targeted for attack by criminals. The most common attacks on companies are described below:
Data breaches pose one of the biggest threats, hundreds of millions of pieces of data were compromised in 2020. There is a growing number of personally identifiable information on risk owner sites and an increasing importance of data.
For example, IBM said that in 2020 the average time to detect a breach was 280 days, even though the average savings of containing a breach in less than 200 days was $1 million . The world will store ever increasing volumes of data so these types of attacks are not expected to disappear or diminish.
Ransomware will continue to grow rapidly and is expected to continue in the future. This is not only happening with encryption, but with increasing data exfiltration. Ransom demands are also growing exponentially, for example, IBM Security X-Force is receiving extortion cases for amounts of more than 40 million in some cases.
Ransomware will increase as IT systems increasingly converge with critical infrastructure and operational technology systems. There is significant concern that more data, devices and lives will be at risk as these attacks target power grids, medical systems or transport management, for example.
BEC scams are also among the most common and continue to increase. The average loss for a BEC can be between $50,000 and $80,000, although there have been higher cost cases such as in 2020, when Puerto Rico lost more than $4 million in three BEC attacks against government agencies. 
Detecting such scams is complex in remote work. In addition, the provision of technology also contributes to this, such as when audio and video of a counterfeit are used simultaneously.
Currently, 41% of small businesses that suffered a data breach paid more than $50,000 to recover and almost 30% of customers said they would never return to small businesses affected by a data breach, demonstrating how such attacks can affect a company’s business . The providers of these services are diverse and vary by industry:
Obviously, all companies and individuals using the internet are exposed to the risks involved, but nevertheless, some industries may present a higher risk, such as healthcare, governments, utilities, schools or financial institutions. Companies with old legacy systems that are not upgraded are generally the most at risk because, together with the retention of customer records, this makes them very attractive to attacks.
Therefore, these types of companies or institutions have had cyber insurance for years, but it is only now that other types of companies are purchasing these services more regularly, such as in manufacturing, professional services, online shopping, and so on. The current number of companies with cyber insurance needs to continue to grow in the face of the high threat of attacks. Regardless of the type of company you are, large or small, you are at great risk of a data breach and the consequences can be very serious for future business.
In conclusion, there is a growing number of providers of these services, but they face a number of challenges due to the changing nature of cyber threats. As providers sell more policies, more information will be gathered from the claims data they collect to understand risks and build better coverages.