Cyber Insurance: Drivers of Growth
One of the quickest growing segments of the insurance industry is cyber insurance coverage, as revealed on page 11 of this report. Five drivers to this growth are an increasing number of cyber attacks, a rapidly growing number of IoT and IIoT devices and their related vulnerabilities, global enhancement of regulations on personally identifiable information loss (like GDPR and CCPA), increasing awareness of cyber thefts among small- and medium-sized enterprises, and a growing number of companies viewing cybersecurity insurance as a risk mitigation strategy.
Increase in Cyber Attacks
- High profile data breaches and ransomware attacks such as the WannaCry and NotPetya attacks in 2017, have convinced companies they need protection.
- Any company can fall victim and be a potential target of cyber attacks. From small town businesses to Fortune 500 companies, there is no business that is guaranteed immunity to cyber risk. In fact, while a company that is considered large is more likely to endure a cyber attack, "the proportion of small firms (less than 50 employees) reporting one or more incidents is up from 33 percent to 47 percent. For medium-sized firms with between 50 and 249 employees the proportion has grown from 36 percent to 63 percent."
- Over the past five years, security breaches have increased by 67%, according to Accenture’s global survey.
- Cybersecurity Ventures predicts that a business will fall victim to a ransomware attack every 11 seconds by 2021.
- Make UK and AIG surveyed manufacturers in the UK, and almost 50% of them said that they were victims of cybercrime or a cyber security incident at some point.
Rapid Growth of the Number of IoT and IIoT Devices and Their Related Vulnerabilities
- The anticipated number of Internet of Things (IoT) devices that will exist by 2020 will be 20.4 billion, according to a press release from Gartner, Inc.
- Routers accounted for 75% of IoT attacks in 2018, and connected cameras accounted for 15% of them.
- Five minutes is the average amount of time it takes for an IoT device to be attacked once plugged into the Internet, according to a report from NETSCOUT.
- There has been a significant increase in the number of attacks on both the industrial control systems (ICS) and the operational technology (OT) side of the Industrial Internet of Things (IIoT).
- Sixty-eight percent of respondents stated that altering the function of IoT devices through malware or other attacks is a concern. Fifty-four percent of respondents said that remote control of a device by an unauthorized user is also a worry. These IoT security threats are included in this free downloadable 2019 Global PKI and IoT Trends Study.
Global Enhancement of Regulations on Personally Identifiable Information Loss
- ZDNet reports that only 2% of companies’ IT expenditure last year was used on security measures.
- According to HIgh-Bridge, 32% of American companies failed to properly implement SSL/TLS encryption, while 16% of European companies failed to do a proper job.
- Paula Miller, a senior vice president in cyber practice for Marsh states that the imminent arrival of the new CCPA law is driving sales and moving companies that already buy cyber insurance to reach out to their brokers to ensure their policies are compliant with the new law. “This is prompting them to not only reevaluate their coverage, but the overall insurance limits that they purchase,” Miller said. “In some cases, this law will increase sales in the form of increased limits for existing buyers.”
- Dan Burke, a national cyber practice leader with Woodruff Sawyer, states that clients are also thinking about higher limits. “I would say that it is driving some increased purchasing from a limit perspective for us,” Burke said, as something similar occurred just before Europe’s GDPR kicked in last year. "A lot of that buying activity happened right up until the regulation went into effect." He expects a similar experience up to and beyond the Jan. 1 implementation of the new law. “We’ll see an increase in those six months right prior to that,” Burke said.
- A recent report by Goldman Sachs says that they are expecting cyber premiums to grow by double-digit numbers through the next 3-5 years and one of the drivers is the California Consumer Privacy Act (CCPA).
Awareness of Cyber Thefts Among SMB's
- Eighty-nine percent of SMBs recognize that cybersecurity needs to be one of their top priorities, and seventy-nine percent are planning to buy into cybersecurity within the next year, according to a report from Vanson Bourne and commissioned by Continuum Managed Services.
- This increased level of cybersecurity awareness among SMBs has been precipitated by the never ending assault of cyberattacks directed at them, coupled with a 59% increase in such attacks.
- 67% of SMBs experienced a cyberattack, and 58% experienced a data breach in 2018, according to a Ponemon Institute report.
- 43% of attacks still target small businesses, and 56% of breaches takes months or longer to discover, according to the 2019 Verizon Data Breach Investigations Report.
- 71% of ransomware attacks are aimed at small businesses, according to a report from the Beazley group.
- According to the latest Federation of Small Businesses research, small businesses in the UK experience almost 10,000 attacks per day.
Companies Viewing Cyber Insurance as a Risk Mitigation Strategy
- Once a breach happens, a sudden drop in a company’s perceived value is likely to follow. Negative media coverage can fuel the “sell now” group think, which could be the final nail in the coffin if a business is unable to stay afloat in the wake of an attack.
- Companies don’t only lose current customers following a cyber attack; a damaged brand reputation means they also lose the potential to gain new ones down the road. A company’s brand is linked to all aspects of business, including growth and revenue. In fact, 85% of U.S. consumers are loyal to brands that safeguard and protect their personal information, meaning a data breach can have serious implications for the future of a business.
- There are many ways an organization can be deemed to be cyber resilient, but an important indicator is a deep understanding of cyber risk. This means going above and beyond IT considerations, by implementing cyber risk management into an overall business strategy.
- According to Lori Bailey, Global Head of Cyber Risk at Zurich Insurance, “the goal should be to develop resilience and protection, because as cyber risks accumulate it becomes more difficult to anticipate them all.” Organizations that have traditionally viewed cybersecurity as separate from other risks are now starting to see the bigger picture.
- These procedures should be considered when creating a cyber mitigation strategy: ensure that only ‘clean’ hardware is used, review insurance policies to ensure there is cyber insurance in place, and go threat hunting.
- Seventy percent of healthcare organizations lack cyber insurance, according to this survey.
- Another study reported that only 5% of manufacturing companies in the United States have a cyber insurance policy.