PerspectiveTime for Regulators to Take Cyber Insurance Seriously

In April 1997, Steven Haase and some of his colleagues in the insurance industry hosted a “Breach on the Beach” party at the International Risk Insurance Management Society’s annual convention in Honolulu to launch the first ever cyber-insurance policy, called the Internet Security Liability Policy. Josephine Wolff writes in Lawfare that Haase had spent nearly two years trying to develop an insurance offering that would cover online security risks and threats, but only about twenty people showed up to his big launch.

Wolff writes:

It would be years, still, before cyber insurance would generate sufficiently significant sales numbers to attract the interest of most major insurers and their customers. More than two decades later, cyber insurance has expanded into a multibillion-dollar global business, with 528 U.S. insurance firms reporting that they offered cyber-specific policies in 2018.

Yet, despite this rapid growth, cyber insurance has posed significant challenges for both the buyers and the sellers of these policies. In a market without standardized expectations for coverage, buyers often fail to understand exactly what types of incidents are covered. Meanwhile, given the incomplete and inconsistently collected data on cybersecurity incidents, insurers are often unsure how to model and price cyber risks, resorting to pricing policies based on the revenue and size of the firms they are selling to, rather than a meaningful assessment of those firms’ risk exposure and defense postures. And hovering over all those concerns about fine-tuning actuarial models and pricing is the fear that a large-scale cyberattack could affect so many customers simultaneously that insurers would be unable to pay out all the necessary claims. Unlike with, say, flood insurance or auto insurance, when it comes to anticipating cyberattacks, it is difficult for insurers to know how to assemble a diverse group of customers who will not all be victims of the same incident.