Commentary: As digital threats multiply, will cyber insurance take off?
Smart home technologies may be vulnerable to hackers, yet many don’t have insurance to protect themselves against this rising threat, says one observer.
NORTH CAROLINA: Cyberattacks cost the world more than natural disasters – US$3 trillion in 2015, a price that may climb to US$6 trillion annually by 2021 if present trends continue.
But most people – and even most businesses – don’t have insurance to protect themselves against this rising threat.
Insurance against all kinds of risks – disease, disaster, legal liability and more – is extremely common.
In the US, companies, families and even government agencies paid a combined US$2.7 trillion in insurance premiums in 2016 – and received payouts totalling US$1.5 trillion. But just US$2.5 billion – 0.09 per cent of the total spending – went to buy insurance against cyberattacks and hacking.
Elsewhere in the world, there’s even less coverage. For instance, in 2017 the cyber insurance market in India was US$27.9 million, 0.04 per cent of the total insurance premiums paid in the country that year.
Cyberattacks have become increasingly sophisticated. The cyber insurance market’s extremely small size suggests that organisations and individuals might have underrated its importance. However, more and more internet users are finding reason to protect themselves.
In 10 years, insurance coverage for cyberattacks could be standard for every homeowner.
Certain types of companies tend to have – or not have – cyber insurance. The larger the firm and the more closely it depends on computerised data, the more likely it is to have coverage against digital threats.
For a company, that can make sense, because a digital intrusion can cost hundreds of thousands or even millions of dollars to fix and recover from.
For individuals, the costs of a breach are lower, but still significant – even as high as US$5,000.
Regular people are far less likely to have digital protection than companies are. In India, personal cyber insurance is less than 1 per cent of the total cyber insurance market.
In the US and elsewhere, most products are targeted at rich people. Insurers such as AIG, Chubb, Hartford Steam Boiler and NAS Insurance sell personal cyber insurance policies as add-ons to homeowners’ and renters’ insurance.
The insurance industry is doing more, too. A wide range of insurers such as Munich Re, AIG’s CyberEdge, Saga Home Insurance, Burns & Wilcox and Chubb all offer cyber insurance for individuals.
These plans cover as much as US$250,0000 to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services and efforts to undo identity theft.
Even health services may be included: AIG’s new product Family CyberEdge policy includes a coverage of one year of psychiatric services if a family member is victimised by cyberbullying. Also covered is lost salary if the victim loses a job within 60 days of discovering cyberbullying.
Some insurers offer policies that provide help to assess policyholders’ data security practices and scan for cyberthreats.
Another cybercrime that’s becoming increasingly common is called ransomware – in which malicious software takes over a person’s computer and encrypts his or her data. Then the programme demands the victim pay a ransom – often in bitcoin or other cryptocurrencies – to get the data decrypted.
Some ransomware attackers don’t actually decrypt the data, even if they get paid – but that hasn’t stopped victims from paying big bucks – at least US$1 billion in 2016 alone. Even so, there are insurers who sell coverage against ransomware, providing backup and decryption services – or even paying the ransom.
As smart home systems become more popular – as well as various technologies to monitor and help coordinate local government services – they’ll provide more potential entry points for hackers. An average home insured by AIG has 20 Wi-Fi-enabled devices.
Replacing a hijacked home’s entire smart lighting system, smart entertainment centre, thermostat and digital security devices will be expensive – and the bill will only be higher for communities using internet-connected streetlights, water meters, electric cars and traffic controls. Those are opportunities for insurance companies to step in.
GROWING THE CYBER INSURANCE MARKET
Before cyber insurance becomes more common, however, the insurance industry will likely have to come to some consensus about what will and won’t be covered.
At the moment each plan differs substantially – so customers must conduct a detailed assessment of their own risks to figure out what to buy. Few people know enough to be truly informed customers. Even insurance brokers don’t know enough about cyber risks to usefully help their clients.
In addition, because cybercrime is relatively new, insurers do not have much data on how much various types of cybersecurity problems can cost to fix or recover from. They therefore tend to be conservative and overcharge.
As people become better-informed about the digital dangers in their lives, and as insurance companies are able to more clearly explain – and more accurately price – their coverage options, the cyber insurance market will grow and may expand rapidly.
In the meantime, most policies have some degree of custom design, so consumers should be careful to look for policies that actually cover their needs, and not just evaluate plans based on cost.
Nir Kshetri is professor of management at University of North Carolina-Greensboro. This commentary first appeared on The Conversation.