Cybersecurity insurance is a new and emerging industry. Companies that purchase cybersecurity insurance today are considered early adopters. Cybersecurity policies can change from one month to the next, given the dynamic and fluctuating nature of the associated cyber-risks. Unlike well-established insurance plans, underwriters of cybersecurity insurance policies have limited data to formulate risk models to determine insurance policy coverages, rates and premiums.
The loss, compromise or theft of electronic data can have a negative impact on a business, including the loss of customers and revenue. Businesses may be liable for damages stemming from the theft of third-party data. Cyber liability coverage is important to protect businesses against the risk of cyber events, including those associated with terrorism. Cyber-risk coverage can assist in the timely remediation of cyber attacks and incidents.
In 2011, Sony's PlayStation Network was breached by hackers, exposing personally identifiable information (PII) of 77 million PlayStation user accounts. The breach prevented users of PlayStation consoles from accessing the service, an outage that lasted for 23 days. Sony incurred over $171 million in costs related to the breach.
Cyber insurance policies are sold by many of the same suppliers that provide related business insurance, such as E&O insurance, business liability insurance and commercial property insurance. Most policies include first-party coverage, which applies to losses that directly impact a company, and third-party coverage, which applies to losses suffered by others from a cyber event or incident, based on their business relationship with that company.
In the United States, most major insurance companies offer customers cybersecurity insurance policy options. Depending on the price and type of policy, the customer can expect to be covered for extra expenditures resulting from the physical destruction or theft of information technology (IT) assets. Such expenditures typically include costs associated with the following:
Some cyber insurance policies cover the cost of providing credit monitoring services for customers affected by a data breach. In September 2017, Equifax, a consumer credit reporting agency, suffered a data breach that exposed the personal information of 147 million people. In 2019, Equifax reached a settlement with the U.S. Federal Trade Commission (FTC). As part of the settlement, Equifax agreed to spend $425 million to provide free credit reporting, cash payments -- e.g., for those already enrolled with a credit monitoring service -- reimbursement for time or money spent on recovering from identity theft and free identity restoration services.
Typically, cyber insurance pricing is based on the insured entity's annual revenue and industry. To qualify for coverage, the individual or entity typically must submit to a security audit by the insurance company or provide documentation with the assistance of an approved assessment tool, such as that offered by the Federal Financial Institutions Examination Council (FFIEC). The results from a security audit or the documentation from approved assessment tools will factor into the types of coverage provided by the cyber insurance provider, as well as the cost of the premiums.
As of 2019, the cybersecurity market is still young, and many companies are choosing to forgo this type of insurance because of its uncertain return on investment (ROI). In the United States, the Cybersecurity and Infrastructure Security Agency (CISA), which operates under the Department of Homeland Security (DHS), is encouraging businesses to improve their cybersecurity in return for more coverage at more affordable rates.
