2015 was a banner year for breaches. We saw some very high profile hacks impact and disrupt organizations all over the globe. From Ashley Madison to 78m records taken from Anthem, the breaches started early in 2015 and continued throughout the year.
Even the US government was not immune as the Office of Personal Management (OPM) was hacked with about 18m very sensitive records being taken. Those records included Social Security Numbers, addresses, security clearance information, and more. If history is any indicator of future activities, we can expect the volume and frequency of hacks to continue in 2016.
As the threat continues to grow around data breaches, cyber insurance adoption also continues to grow.
According to a survey in 2015, 85% of US companies with more than 100m in revenue had cyber or data privacy insurance, primarily to protect them against financial loss.
Of those with insurance, 44% have filed a claim as a result of a breach. I am surprised only 85% had some form of insurance and expect that number to grow in 2016.
Last year the cyber insurance industry took in 2.5b in premiums, up from 2b in 2014. According to PWC, the cyber insurance market is set to triple in the next few years and will reach $7.5 billion by 2020.
The biggest challenge most companies will face regarding cyber insurance is the rapidly maturing underwriters of cyber insurance.
Insurance companies are starting to improve their actuarial tables associated with cyber insurance. This will allow them to ask better questions and ultimately require insured companies to produce artifacts that prove or disprove those questions. I believe this will ultimately lead to regulatory requirements similar to HIPPA, ISO27001, or PCI in the insurance industry.
Recently a group of insurers led by Lloyds of London published the Cyber Exposure Data Schema. Their intent is to create open standards for how the industry shares data about cyber risk, estimates losses, and to establish common language and categories that cut across the industry.
Ultimately, a company’s adherence to those standards will determine how much their premiums are. I believe this will lead to a perspective of “the better my information security protections are, the lower my costs for cyber insurance.”
I also believe we will start to see insurance companies demand and require board level visibility to internal security practices if those companies want cyber insurance policies.
No longer will a company’s board of directors get to “put their head in the sand” with regards to data protection within the company they lead.
Insurance companies will expect and require proof of board level governance and awareness to all types of financial risk including cyber.
Currently, the US dominates the acquisition of cyber insurance policies compared to other countries, primarily driven by regulations aimed at protecting PII (personally identifiable information).
Pending negotiations in the EU related to the implementation of new data protection regulations will drive increased adoption of cyber insurance outside the US. I believe we will see this adoption across the globe.
Cyber insurance is no longer a fledgling product. It is maturing, growing, and expanding worldwide. Companies need to be prepared for regulations, more stringent requirements, and more board level visibility.
Our data is valuable and the bad guys want it. Insuring our companies against the financial loss associated with those activities is a must, as it’s not a matter of if you face a breach, but when.