Despite everyone’s best efforts as the world continues to digitize, cyber incidents will loom large and create operational and financial havoc for their victims and communities. Ransoms have skyrocketed from five-figures into the millions, a recent example being an over US$4 million ransom reportedly paid by Colonial Pipeline.
All of this is further escalation of a worrisome trend: A recent report by our friends and partners at Hiscox shows insured cyber losses of US$1.8 billion in 2019, up an astonishing 50% year over year. When an organization falls prey to cybercrime, the ransom is only one component of the financial cost. There are also remediation expenses, including lost orders, business downtime, consulting fees and other unplanned expenses.
Cybersecurity Ventures expects global cybercrime to reach US$10.5 trillion annually by 2025. If this is true, this would represent the greatest transfer of economic wealth in history and arguably larger than the global trade of all major illegal drugs combined.
Will these trends lead to cyber insurance becoming a requisite, if not mandatory purchase for businesses to manage their digital health and safety, in the same way businesses are made to purchase workers’ comp to manage their employee health and safety practices?
My view is there are strong arguments to say “yes”. Cyber insurance will become as commonplace as workers’ comp for businesses of all sizes.
Four reasons why:
1. Cyber insurance is core to building a ‘digitally’ resilient and healthy business sector which is vital to most countries’ economic health.
In most countries, 90% of employees in the private sector work for Small to Medium Enterprises (SMEs).
It’s widely reported that 60% of SMEs that have become the victim of cyber crime go out of business, or are severely financially impaired, which generally leads to loss of jobs. Without cyber insurance, governments would be left picking up the bill for businesses that become digital road-kill – something they’d undoubtedly prefer to dodge.
2. Governments are setting the climate for cyber insurance to shield businesses from the ‘Privacy Revolution’.
Firstly, replace Industrial Revolution with Privacy Revolution. The Industrial Revolution brought manufacturing to the forefront. New factories making goods at scale caused hazardous work conditions and eventually led to the creation of the health and safety standards we have today.
As a result of the horrors in employee safety, governments first introduced new health and safety practices, followed by regulation to enforce these policies and then workers’ comp insurance as a final back-stop.
Today’s pace of digitization exposes a relatively new and equally toxic exposure – our data privacy. We can see a very similar playbook being played out with regard to data privacy. A substantial amount of government money is being directed to help business practices become more privacy savvy – initiatives like Cyber Essentials in the United Kingdom and Trust Mark in Singapore are two that come to mind.
Policymakers across the world are also tightening up data privacy regulation to penalize companies that do not adequately protect client data. It’s not a leap to see cyber insurance, or at least the data privacy liability elements, following the same path as workers’ comp insurance.
3. The Dark forces behind cyber ransomware will fade away.
Back to pirates. In the early 18th Century, piracy in the Caribbean was rife. It was arguably encouraged in some places where authorities felt their causes aligned. And, when the pirates caused governments more issues than the solved, they were put out of business. On September 5, 1717, King George I issued the “Proclamation for Suppressing of Pirates” – The King’s Pardon. The British Crown offered clemency to any pirate who surrendered themselves to a governor of the colonies by September 5, 1718 and suddenly, the Pirate Golden Age was over. Some of the former pirate gangs accepted the King’s Pardon and spent their final years hunting pirates on behalf of the authorities.
It’s very possible we are seeing the same trends happening in the world of cybercrime. It’s foreseeable to see coverage for ransomware scale back as governments say enough is enough.
The new US administration has made combating criminal hacking groups a top national security priority amid a sharp increase in ransomware attacks on USA assets. DarkSide, the suspected Russian group accused of the ransomware attack on Colonial Pipeline, shut down its dark web pages afterward. According to cybersecurity experts, it’s unclear whether the group actually retired or rebranded under a new name, but this direction sets a clear marker.
A more manageable cyber extortion threat exposure will result in a less volatile cyber insurance market.
4. Like workers’ comp, cyber insurance eligibility requirements will raise the bar on business performance.
Progressive versions of workers’ comp insurance have led to continued improvements in employee health and safety controls. It’s encouraged greater proactive prevention efforts aimed at reducing the risk of workplace injuries and their resulting health and financial impacts. Like workers’ comp, as the cyber insurance world begins to better understand cyber risk, better data will become available to show the connection between preventative behaviour, such as implementing better security controls, and the behaviour’s impact on cyber losses. Firms will be pressed to further invest in security and protection and work with their insurer to demonstrate why they are a better ‘write’ than the next application form in their inbox. Insurers will get better at helping organizations understand how cyber risk management affects potential revenue, profit, brand and other measures of success. This is part of the evolution to mass product adoption.
I could be wrong. There are two main reasons that may result in cyber insurance not reaching the same penetration levels as workers’ comp. Perhaps insurers reduce their capacity levels as premiums can’t catch up with the level and cost of claims; or the level of demand for cyber insurance tails off. It could be a hybrid, but let’s take the two points in turn:
a. Insurers withdraw capacity, significantly cutting back the availability of cyber insurance, resulting in penetration levels much lower than workers’ comp.
Insurers tend to withdraw capacity from product lines when there’s not enough money to be made. This scenario is based on the cyber insurance industry effectively throwing in the towel and leaving private enterprises to figure out how to manage their cyber exposure on their own.
My view: The cyber environment is undoubtedly delicate, given the combination of threat volatility and recent losses. Market regulators and most insurer shareholder bases don’t like underwriting shocks. A continued wave of large scale cyberattacks similar to the ones we’ve seen wouldn’t pose a solvency threat, but I would expect it to raise some eyebrows. A worst-case global digital catastrophic event could result in structural changes to the cyber class of business – but again, would it make the entire insurance and reinsurance industry a lot less interested in cyber? I don’t think so. The industry has stepped up time after time to smooth the path to greater advances in mobility, healthcare, logistics and financial services and cyber will be the same. In the USA, insurance accounts for roughly $1 of every $4 spent.
b. Demand for cyber insurance will tail off.
Today, there are numerous ways that a cyber breach can cripple a company. Hackers can take down your network or trick the accounts team to release funds. There are third party liabilities from data privacy leaks, and virus or ransomware that corrupts or threatens to corrupt your data files – all resulting in longer term damage to your brand and future cash flows. This scenario assumes companies find an affordable way to minimise these exposures and absorb the risk of them being found fallible, and that policymakers stand on the sidelines and don’t look to protect the business sector through making cyber insurance a condition to operate, in the same way that workers’ comp has become.
My view: Right now, we are experiencing a massive increase in demand for cyber insurance, even though there is an equally massive market correction underway. Why? Because companies are realising they can’t prevent every threat and the cost of being caught out is spiralling. As we see current threats become more manageable, there is no doubt that newer ones will emerge. Businesses will continue to rely on cyber insurance to help them contain the breach and the longer term damage to their business. In addition, policymakers and class action specialists will continue to penalise businesses that fall short of increasingly tight privacy standards, which will lead boards of directors, vendors and banks to insist on cyber insurance being in place with every business they are involved with.
How long will it take for cyber insurance to become mandatory?
While all signs are pointing to cyber insurance becoming a ‘must-have’ insurance, like workers’ comp, we are left with one more question: How long will it take? It won’t happen overnight, but it will be sooner than we think. Cyber growth is expected to outpace the growth of the economy.
Like workers’ comp, cyber insurance growth will be propelled by policymakers getting increasingly involved. It took the US over 37 years for every state to pass its own workers’ comp law. Wisconsin was the first in 1911. That same year, nine other states had workers’ comp acts. Nine years later, 36 states had passed laws. Mississippi was the final state to enact a workers’ comp law in 1948. There’s a clear parallel for data privacy regulation – all 50 states now have a data breach notification laws in some form and they continue to be tightened in several of them.
One of the earliest examples of a workers’ comp system dates back to 2050 B.C. – a law in Ancient Sumeria paid workers for their injuries. Similar laws were also in place in Ancient Greece, China and other parts of the world. It’s arguable that workers’ comp was always a global insurance product.
Like workers’ comp, I think that similar trends will become the norm elsewhere across the globe and result in cyber insurance becoming a “must-have” insurance in the not-too-distant future.
Blog written by Vishal Kundi,
CEO & Co-Founder of BOXX Insurance Inc.