Moreover, cyber insurance accounted for only a small fraction — between $1.5 billion to $3 billion — of the $505.8 billion generated in premiums by U.S. insurers. The reasons behind the struggling cyber insurance market are myriad and traceable to obstacles facing both insurers and consumers. A recent report by the Deloitte Center for Financial Services attempted to identify the barriers affecting growth in this promising line of insurance.
From the insurers' standpoint, the lack of historical data on cyber losses significantly inhibits their ability to build predictive models and properly assess cyber risk. Simply put, cyber insurance has not been sold for long enough to develop suitable market trends.

Vast majority of cyber crimes go unreported

The U.S. government does not maintain a centralized database cataloging cyber attacks. Moreover, because of the sensitive nature of cyber crimes, the vast majority go unreported. With insufficient data, insurers are loath to offer comprehensive coverage.

In addition, cyber attacks continue to evolve in scope and sophistication. Like terrorism, cyber attacks can occur at any time, any place, and to anyone. With an unpredictable and changing underlying exposure, insurers cannot anticipate and mitigate against these cyber risks.

Because of these obstacles confronting insurers, consumers face an uneven and expensive market for cyber insurance products. Insurers offer a patchwork of various coverages, often with minimal limits and nonstandardized language. Moreover, many companies erroneously assume that their general or professional liability policies cover cyber risks. Errors and omissions policies, however, typically do not cover cyber thefts and hacking schemes that trick employees into issuing payments or divulging confidential and proprietary information.

While commercial crime policies may cover the theft itself, they do not account for other cyber-related expenses like forensics, credit monitoring, crisis management, and reputational risks. Yet, standalone cyber policies lack standardized language within the industry. Differing terminology from insurer to insurer inhibits a buyer's ability to compare coverage and pricing. This also affects claims management and coverage disputes, as courts have not been able to interpret and enforce uniform cyber insurance provisions to provide clarity to both insurers and insureds.

Steps to wide-ranging coverage

Despite these hurdles to a thriving cyber insurance market, Deloitte offered several concrete steps to facilitate access to wide-ranging coverage that is both simple and affordable. As frequent targets of hackers, insurers can draw on their own cybersecurity experiences to develop more accurate predictive models.

Following the lead of U.S. intelligence agencies, insurers could also partner with IT professionals and former hackers in order to understand the scope and nature of cyber losses. Alternatively, insurers could issue more specialized cyber products tailored to specific types of exposure such as data breaches or specific areas of technology in order to better assess their risks on a smaller, more manageable scale. Furthermore, insurers could provide all-inclusive cyber risk management services and post-loss recovery support with their insurance products. This will benefit consumers and businesses by helping prevent cyber incidents from occurring and ultimately lowering premiums, while also decreasing loss frequency for insurers and bolstering account retention.

In the next decade, the proliferation of driverless cars and ride-sharing will likely hurt the insurance industry's most profitable line of business, auto coverage. Moreover, automation and the changing nature of the nation's labor force will inevitably affect another large line, workers' compensation. Accordingly, cyber insurance is one of the few promising areas for long-term growth.

With an ever-increasing spotlight on cyber crimes and hacking, consumer interest in insurance products to protect against those risks will only intensify. If the insurance industry does not become a more reliable provider of comprehensive and affordable cyber coverage, insurers will be left behind as businesses seek alternative methods of managing risk.