Lessons Learned from Cyber-Insurance Emerging Practice Seen as Component in Managing Risk
Lessons Learned from Cyber-Insurance
Juergen Weiss of Gartner

Organizations are not buying cyber-insurance policies at explosive rates despite recent high-profile breaches. But Gartner's cyber-insurance expert Juergen Weiss says that might not be a bad thing.

The modest growth of organizations buying policies shows that they recognize that cyber-insurance is not the primary solution to how they should mitigate IT security risk, Weiss says.

"We're not going to see in two years that everybody will have a cyber-insurance policy, but we'll hopefully see more awareness about best risk management practices, and then cyber-insurance could be one element of those best practices," says Weiss, Gartner's managing vice president.

Cyber-insurance remains a relatively nascent industry, with only 50 or so insurers offering policies, mostly in the United States. Proof of the newness of cyber-insurance is that most offerings vary widely from insurer to insurer, he says, unlike other types of liability insurance, where policies issued by different providers are similar to one another.

In the interview, Weiss discusses:

  • How rapidly changing cyberthreats have an impact on the cyber-insurance marketplace;
  • Why many companies have yet to buy cyber-insurance policies;
  • Difficulties multinational companies face in acquiring cyber-insurance.

At Gartner, Weiss focuses on insurance industry research, covering a broad range of business and technology topics. Weiss manages the worldwide insurance research agenda within Gartner and has more than 15 years of IT experience. Prior to joining Gartner, he had several executive roles in product management, development and consulting at SAP AG, where he was globally responsible for one of SAP's product lines in financial management.

Cyber-Insurance Today

ERIC CHABROW: In the past, insurers didn't have the expertise to underwrite policies. How has the situation changed?

JUERGEN WEISS: Not a lot, Eric. About 80 to 90 percent of the cyber-insurance business is underwritten in the U.S. Knowledge is concentrated to some degree. There is some business growing outside the U.S. There have been a lot of breaches in the U.K. and Germany, and some other markets, but still, knowledge is not widely distributed. There are around 50 providers that are offering cyber-insurance these days, but good underwriters, especially since this is a relatively young product, are still hard to find in the market.

CHABROW: What are some challenges organizations face abroad in getting cyber-insurance?

WEISS: One of the first questions is, what are the kind of limits and how much coverage can they actually obtain? Even the highest coverage you may get is in the range of $20 million to $30 million. If you are a multinational organization, your risks are typically much higher than that. One of the challenges is to get proper coverage, and find an organization that would be willing to underwrite your risks globally. Second, a typical issue for multinationals is that they are not having a centralized risk management organization. Typically, risk management processes and policies do vary from region to region, because of differences in culture, regulation, and legal consequences. We'll go for a more regional approach when it comes to cyber-insurance.

CHABROW: Why are companies still not buying cyber-insurance, even after recent breach publicity?

WEISS: One of the biggest issues holding companies back is awareness. What are these products offering? What are the coverages they provide? Are the providers really covering in the case of a loss? Like any insurance product, you are not sure, as a client, what will be covered.

Are They Paying Off?

CHABROW: Is there enough evidence out there to show whether or not insurance companies are paying off as users expect?

WEISS: Normally, that is not being settled in public. Typically, there will be some sort of liability issue that comes up and insurers will not pay the entire amount. The problem is, you do have very little insight into how much insurers are actually paying, and what is being left on the shoulders of the clients.

CHABROW: Do you think that could be a reason why some companies aren't buying the insurance?

WEISS: That's certainly one of the reason. There was a case with Sony and their insurance company. Sony wanted to get coverage, but their insurance policy didn't cover some of the incidents that Sony was exposed to. These kind of discussions and legal battles are obviously shying away clients from purchasing cyber-insurance. Besides that, the products are still not highly standardized. I looked at probably 15 different policies, and they are pretty unique still. You have some commonalities, like what is being covered, liabilities, obligations of customers. There are also some certain coverage or risk areas. But still, the products are custom designed to specific client needs.

Newness vs. Threat Environment

CHABROW: Is that because of the relative newness of cyber-insurance or is it because of the rapidly changing threat environment?

WEISS: A couple of reasons. First of all, of course, the environment is dynamically changing. There are constantly new threats that are emerging, also cyber risks. Cyberterrorism and things that we haven't previously seen; I saw on the news that Dixon's in the U.K. was being hacked. The website was hacked and there was an organization that has basically threatened them to disclose credit card information if they are not paying a certain amount. This is ransom to some degree.

CHABROW: Is this ransomware threat something that is insurable?

WEISS: There a couple of things that are being covered in these policies and that would be possible. Again the question is, how are these pretty typically these are the consequences of malware or viruses or whatever that are being brought into your network by improper use of end user. That is still end users are the biggest threat; it's still in these cases. The question is, would that be insured at all? That is one of the reasons, I mean this changing environment and then of course the constant evolvement there. There is still limited actuarial data to allow insurers to come up with precise calculations. That's another reason why these products are so individual. And of course, it's a growing industry as well. Insurers are banging the drums for cyber-insurance, and they are seeing huge market opportunities out there of course by fear, uncertainty, and doubt.

CHABROW: In other kinds of liability insurance there are hundreds, right?

WEISS: Absolutely. Cyber-insurance, if you look at it from the entire property and casualty market, is a single digit percentage. Still very small market environment, but of course specialized, and probably from a profitability point of view, quite interesting for insurance companies.

Additional Services

CHABROW: How valuable are additional services and how is that market developing?

WEISS: There are two basically two scenarios here. One scenario is you're going for a cyber-insurance policy and the insurer is covering the losses. They would just provide monetary compensation. There are also other policies where the insurer is providing for instance breach, data breach support, marketing support, public relations communication support, whatever. They are providing a set of experts which are at your command or which at your assistance as a client. I think that is peculiarly interesting and a good offering for smaller clients, smaller corporate clients that do not have the financial or the human skill, human resources, to establish these kind of data breach controls or data breach activities themselves. That's a very valuable offering especially for smaller customers.

Insurance Premiums

CHABROW: Do premiums vary widely as compared to other kinds of insurance?

WEISS: Yes, premiums would vary between roughly $15,000 to maybe $50,000 per $1 million loss. There is a wide range, which is not only attributed to new product types, but also to the types of risks. We're talking about large scale cyber terrorism issues, etc. You need to imagine that these policies are covering a broad range of risks; that is partly attributed to the distribution of policy premiums.

The Future of Cyber-Insurance

CHABROW: What do you think you'll be talking about with cyber-insurance in two years?

WEISS: There's not going to be an explosion in demand. We have seen steady growth during the last couple of years. The biggest benefit of cyber-insurance is that clients are becoming aware of the fact that this is not going to be the solution for their security and risk management issues. Cyber-insurance is going to be one element of least resource for their risk management practices. We're not going to see, in two years, everybody having a cyber-insurance policy. But hopefully we're going to be seeing more awareness about best risk management practices, and cyber-insurance could be one element of those best practices.

Around the Network