The Office of Financial Research (OFR) says that cyber insurance premiums are rising as the insurance industry struggles with this unpredictable new coverage area.

The OFR said in its annual report to Congress, published this month, that while cybersecurity is probably the financial industry’s biggest concern at this point, insuring against it is getting more expensive. Part of the reason is that underwriters and actuaries lack adequate data for their risk models.

“Premiums on cyber insurance policies written have been rising. At the same time, the insurance industry is concerned that it lacks a good sense of its potential exposure to claims in a major cybersecurity event. The industry also lacks good data to support its pricing and underwriting policies, which itself is a vulnerability,” the report says.

The OFR is an independent bureau within the US Treasury Department that conducts research on financial stability, and must report annually to lawmakers.

So it’s unpredictable—even if you did have a full dataset on what has already happened, it’s not necessarily totally predictive of what will happen.

Sam Friedman, Deloitte

The OFR report cites figures that show that the total value of cyber insurance premiums written (including premiums for standalone and packaged cybersecurity insurance) by US insurers increased from about $1.5 billion in 2015 to about $3.5 billion in 2018.

Sam Friedman, a research leader at Deloitte, says the challenge for underwriters and actuaries is that the threat environment is constantly evolving. Generally, the number-crunchers at insurance firms can make accurate predictions about the risk of a house being in the path of a hurricane, for example, or the risk of a car accident on a particular stretch of road. But there is insufficient historical data on cybersecurity breaches, partly because many people and businesses don’t report the incidents they experience, even significant attacks on their systems and data.

Additionally, threats are constantly evolving. A cyber breach can hit any business at any time, and the perpetrators come up with new approaches all the time, even using advanced technology like artificial intelligence to penetrate systems.

“Insurers deal with rearview mirrors—they look at what has already happened and use that to project what might happen, the probabilities of it happening in the future. The problem with cyber risk is that it is an evolving exposure … And that can give insurers pause because they don’t know what they don’t know. How serious is the risk, how widespread is it, what is really happening out in the market?” Friedman says.

 “So it’s unpredictable—even if you did have a full dataset on what has already happened, it’s not necessarily totally predictive of what will happen.”

Many firms take out cyber insurance as part of a subsidiary coverage added to more traditional exposures, Friedman says. Companies can build cyber insurance into their standard policies for property and liability coverage, or even include it in a directors and officers policy, to cover the eventuality that a company is breached and management is held accountable.  

Increasingly, there is a market for standalone cyber insurance, but it’s in its early stages still. “Insurers are still figuring this out and it’s going to take some time for them to gain the level of comfort to write higher limits coverage,” Friedman says.

Friedman has been leading a team at Deloitte studying this emerging coverage area, and is currently working on their second report. His research has focused on middle-market companies, Friedman says, as this is the segment that is struggling most with cyber risk generally, and even more so with insuring against it.

“Insurers are starting to restrict or exclude cyber from standard policies and are trying to steer people towards more of a standalone policy. But we have found when we talk to people who have not yet bought standalone policies that they have concerns about the cost and level of coverage involved—are they really getting what they are paying for?”

There is still no standard for what cyber insurance products should cover, says Prashant Pai, vice president of cyber offerings at risk analytics company Verisk. Verisk is looking for opportunities in this industry with products that drive standardization of policies for small- and medium-sized enterprises, as well as developing a database on companies for underwriters and a portfolio tool for insurers and reinsurers.

“As the cyber insurance product itself is quite new, so there are a lot of questions about what it should cover. One school of thought says we should only cover any malicious incidents that happen,” Pai says. “But a lot of cyber incidents are just caused by human error—someone misconfigures a shared server, something like that. We are in such a state of evolution that it will be some years till we have more defined coverage and we get to a more stable environment.”