2016 was definitely the year of cyber insurance emergence. As large-scale attacks and disclosures of massive data-breaches were reoccurring along the year, we realized once again that allocating tremendous efforts and resources to your cybersecurity defense does not provide any guarantee you won’t experience an incident.
Executives and Security professionals are gradually accepting that it is not a matter of if but a matter of when their organization will be hit by a cyber-attack. With this understanding, many businesses acknowledge cyber insurance as an important tool in the multilayer cybersecurity defense approach and declare it is an essential part of their risk mitigation strategy.
As we start 2017, here are some of my personal predictions for the cyber insurance market:
- An increasing number of security vendors will provide insurance guarantees. 2016 signaled a new path in the cybersecurity industry as few emerging startups started to offer a cyber insurance coverage of up to $1M per organization which will be fully covered with their defense solutions (e.g. SentinelOne and Cymmetria). I expect this trend to intensify through 2017, and well established vendors will gradually follow to offer a bundle of protection plus insurance.
- A high increase in the number of insurance companies which will start to offer cybersecurity services. As cyber insurance is emerging and as many new insurance companies are entering the market (currently approximately 70 insurers offer stand-alone cyber insurance products), there is a race for the best cybersecurity talent to assess the risks and provide pre- and post breach services as monitoring, incident response, forensics, etc. In this atmosphere, insurers will acknowledge the revenues they can make from cyber insurance and adjacent security services to their clients, and will (and already do) expand their teams with the cybersecurity professionals and tools through aggressive hiring and M&As.
- Cyber extortion coverage will take the lead as the most demanded cyber insurance product. Ransomware is exploding across geographies, industries and all size of businesses. Following the massive DDoS attacks on Krebs on Security and Dyn, the IoT world opens a new world of DDoS attacks which no load balancer can mitigate. I expect that cyber extortion will become the biggest problem for organizations and individuals, and will surpass data breaches as the main threat.
- Adoption of advanced tools for risk assessment will increase. There is a high demand for tools that will allow insurers an accurate, scalable and affordable risk assessments which will streamline the entire, mainly manual, questionnaires based risk quantification methodology which is the common practice today.
- New regulations will be introduced and will support the expansion of the cyber insurance market. There are high chances that few more US states will introduce regulations that support risk assessments on a regular basis internally, of third party vendors and enforce security policies on organization as suggested by the new NY proposal for the big financial institutes which was released last September.
- Penetration rate of cyber insurance among SMBs will be the driving force of the industry. As awareness of cyber-attacks increases among small and medium sized business, they realize that cyber insurance is an essential security tool, particularly due to their limited cybersecurity resources. I expect to witness higher percentages of the SMB segment which will purchase cyber insurance coverage, leading to total market size increase as current estimation rely on low adoption rate in these segments.
- Few insurers will introduce personal cyber insurance coverage. As ransomware became a threat to any operating system and any device, it is forecasted that it will gradually become a serious problem for individuals as well, and hand by hand will lead cyber insurance companies to offer personal cyber insurance coverage.
Cyber insurance is here to stay and insurers, brokers, business and individuals will benefit as this market continues to evolve. Growth will be sustained mainly in the US market, tough it is high likely to expand worldwide, especially in the EU as GDPR will start to be effective.
No matter which part of the IT security eco-system you fit into, you should explore the benefits cyber insurance can bring to you – revenues, financial hedge and cyber peace of mind.