Cyber Risk: Threat and opportunity - III Report
Executive Summary
• Interest in cyber insurance and risk has grown beyond expectations in 2014 and 2015 as a result of high profile data breaches, including a massive data breach at health insurer Anthem that exposed data on 78.8 million customers and employees and another at Premera Blue Cross that compromised the records of 11 million customers. The U.S. government has also been targeted by hackers in two separate attacks in May 2015 that compromised personnel records on as many as 14 million current and former civilian government employees. A state-sponsored attack against Sony Pictures Entertainment, allegedly by North Korea, made headlines in late 2014.
• Cyber attacks and breaches have grown in frequency, and loss costs are on the rise. In 2014, the number of U.S. data breaches tracked hit a record 783, with 85.6 million records exposed. In the first half of 2015, some 400 data breach events have been publicly disclosed as of June 30, with 117.6 million records exposed. These figures do not include the many attacks that go unreported. In addition, many attacks go undetected. Despite conflicting analyses, the costs associated with these losses are increasing. McAfee and CSIS estimated the likely annual cost to the global economy from cybercrime is $445 billion a year, with a range of between $375 billion and $575 billion.
• Insurers are issuing an increasing number of cyber insurance policies and becoming more skilled and experienced at underwriting and pricing this rapidly evolving risk. More than 60 carriers now offer stand-alone cyber insurance policies and insurance broker Marsh estimates the U.S. cyber insurance market was worth over $2 billion in gross written premiums in 2014, with some estimates suggesting it has the potential to grow to $5 billion by 2018 and $7.5 billion by 2020. Industry experts indicate rates are rising, especially in business segments hit hard by breaches over the past two years.
• Some observers believe that cyber exposure is greater than the insurance industry’s ability to adequately underwrite the risk. Cyberattacks have the potential to be massive and wide-ranging due to the interconnected nature of this risk, which can make it difficult for insurers to assess their likely severity. Several insurers have warned that the scope of the exposures is too broad to be covered by the private sector alone, and a few observers see a need for government cover akin to the terrorism risk insurance programs in place in several countries.