GCC's Blog

Cyber Insurance: Putting a Price on Intangible—Yet Extremely Valuable—Assets

Jonathan Kaplan

Senior Innovation Analyst

Oct 2, 2019

When someone breaks into your house and steals your TV or jewelry, homeowners or renters insurance can help cover the loss and get you back on track, but what happens when someone breaks into your online accounts and gains access to your personal data? Who can keep that safe and compensate you when it gets violated? And what happens when the attack is on a big company, government organization, or city?

Around the world, insurance and reinsurance companies and forums are buzzing with discussions on cyber attacks and whether they are practically insurable. Whereas it’s relatively easy to put a price on a stolen luxury watch or iPad, it’s a lot harder to do the same for personal data. At the same time, however, these days the “value” of data is enormous; so many aspects of our lives—finances, health, security, and more—depend on those bits and bytes, and when they get into the wrong hands, the damage can be tremendous. According to the World Economic Forum, “Economic loss due to cybercrime is predicted to reach $3 trillion by 2020, and 74% of the world’s businesses can expect to be hacked in the coming year.”  

As you read this, companies around the world are hard at work developing cyber insurance services based on the latest technologies, but the product/market fit remains vague and unknown to all parties involved, whether on the demand side or the supply side.

Several questions arise when it comes to product/market fit and cyber insurance: First, is there enough data available to understand how to properly underwrite a cyber insurance policy? If so, who would be the ideal source to provide it, and how long would it be relevant for given that cyber threats are constantly evolving? Second, in building an insurance policy, what is the best model for it? From the insurance perspective, should we think about and treat cyber attacks the way we do natural disasters or more like organized crime? And where do we draw the line between governments and the private sector in terms of responsibility and action?

As explained in a report by the Carnegie Endowment for International Peace, “Unlike physical attacks, the dividing lines between state-sponsored or state-abetted cyber aggression and organized cybercrime are far more (and often deliberately) blurred. Even when it is possible to attribute a cyberattack to a malicious perpetrator, it is much harder to confidently establish that a nation-state is complicit—as is often perceived to be the case with cyber aggression traced to perpetrators in the Russian Federation in particular. This makes it more difficult for governments to determine when and how to step in to deter, respond to, retaliate against, or prosecute offenders even when they wish to.”

Many companies are delving into cyber insurance through the angle of technology, but they rarely focus exclusively on insurance against cyber attacks. Rather, they go further into assessing the risks a company faces, helping to manage that risk, and attempting to pave a way to prevent threats all together. The challenge, however, is that this approach seems to bypass many of the overarching questions—especially in cases in which a cyber attack has already occurred—ultimately leaving them unaddressed.

Some companies following this path are: At-Bay, which uses technology to bundle insurance coverage, risk management, and broker tools into a service; Cytegic, a cloud-based cyber risk management platform; Kovrr, which focuses on predictive cyber risk modeling; and Cyberwrite, which profiles and benchmarks companies to determine their risk vis-à-vis cyber insurance. Arceo.ai, which very recently raised a $37 million round of funding, also focuses on real-time data and analytics, which it provides to insurers so they can evaluate a company’s security and cyber risk management behavior and keep their underwriting processes up to date. Still, while making huge strides, all these companies are operating in territory that can best be described as murky, given that the data and methodologies are new and differ vastly from those employed in traditional insurance products.

Much of the discussion on cyber insurance has focused on cyber attacks on the data centers of large organizations, whether public or private, given their ability to wreak havoc and seize so much data at once.  In 2014, the U.S. Office of Personnel Management announced that it had been the target of a data breach, in which approximately 21.5 million records of some four million people had been stolen, including data of people who were just begun to undergo the background-check process, but weren’t actually government employees. Russian cyber warfare is also thought to have been employed against the Democratic National Committee to help Donald Trump’s 2016 presidential campaign. One of the most famous cyber attacks is the 2017 Equifax data breach, in which the names, Social Security numbers, credit card information, birth dates, addresses, and driver’s license numbers of 145.5 million U.S. Equifax consumers were compromised. VentureBeat called it “one of the biggest data breaches in history.”

While these figures are staggering, this is likely just the tip of the iceberg. After all, for most of us, “personal data” remains a vague and abstract concept that we can’t quite fathom. But what will happen when hackers use cyber attacks to shut down public or mass transportation, such as trains, buses, and planes, or take over our personal vehicles, including cars, motorcycles, and scooters, causing real chaos that we can feel? And what about when cyber attacks seep into the personal devices we use day in and day out, such as our phones, tables, personal computers, wearables, and smart home devices? That’s when we—and the companies creating or servicing those methods of transportation and devices—are likely to truly start feeling the heat, and cyber insurance will have to accelerate to catch up.