A kaleidoscope of risk: What’s next for cyberinsurance
Illustration: Si Weon Kim
Editor’s note: README excerpted this article from “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks,” which was published by MIT Press in August 2022.
The development of the cyberinsurance market over the past three decades has been both disarmingly rapid and surprisingly slow. The rapidity has been demonstrated most vividly in the vast array of different policies and products that insurers have begun offering linked to cyber risks in the span of just a few decades. Unlike car, flood, or fire insurance, cyberinsurance does not cover a single, coherent type of threat, and unlike commercial general liability or property and casualty insurance it does not cover a particular, coherent set of damages. Instead, cyber risk insurance, in its various forms from stand-alone policies to add-on products, tries to tackle a range of different threats, from cybercrime and data breaches to network outages, user errors, and online extortion — and across that wide range of threats it also aims to encompass an astonishing number of different types of damage, from first-party costs, such as lost business, breach notifications, and ransom payments, to third-party costs tied to lawsuits and liability.
Trying to describe the cyberinsurance industry makes clear the extent to which cyberinsurance is fundamentally not a single thing but rather a range of different products that deal with computer-, data-, and network-related risks that intersect with any number of different threats and types of losses. And yet insurers have increasingly tried to establish it as a single, coherent market with dedicated policies and coverage specifically for cyber risk. To this end, they have also excluded cyber-related losses from their other coverage, steering customers toward stand-alone cyber policies instead. Even in their internal structure and organization, many insurers have set up dedicated cyber risk groups to develop these policies, in many cases leaving the cyberinsurance team siloed apart from the groups working on modeling and pricing other, related risks in different departments.
The cyberinsurance market has grown slower than many carriers anticipated, even in the aftermath of a series of high-profile cybersecurity incidents and data protection regulations which insurers had predicted would significantly boost sales. For instance, a 2015 PricewaterhouseCoopers report titled “Insurance 2020 & beyond: Reaping the Dividends of Cyber Resilience” projected that the cyberinsurance industry would triple between 2015 and 2020, reaching annual premiums of roughly $7.5 billion by 2020. Instead, in 2020, the NAIC estimated that the U.S. market for cyberinsurance was still under $4 billion in premiums, and that the take-up rate for cyber policies remained “relatively low” at 33%. A slew of ransomware attacks and other cybersecurity incidents beginning in 2019 also reduced the sizeable profit margins that carriers had previously enjoyed on cyber risk policies. In 2019, Aon estimated that the loss ratio for US cyberinsurance policies increased by 10%, to approximately 45%, compared to 35% in 2018. That meant that in the span of one year, carriers went from paying out roughly 35 cents in claims for each dollar of premiums collected to paying out 45 cents per dollar of premium payments — a significant change, particularly given the reputation cyberinsurance had acquired by then for being “more profitable for insurers than other lines of insurance,” as one 2019 ProPublica article put it, comparing the 35% loss ratio for cyberinsurance in 2018 to the 62% loss ratio for property and casualty insurance coverage.
But these changes have not deterred insurers from developing and marketing new policies and new partnerships to address cyber risks. This drive to sell cyberinsurance may stem in part from carriers’ desire to land customers while the market is still relatively new and businesses have not yet committed to a carrier, with carriers counting on their own ability to refine the risk models and pricing later, as they collect more data and learn more about the nature of cyber risk and the best methods for reducing exposure. But that assumption — that with time and data it will be possible to tame cyber risk using the same tools and techniques that have been applied with such success to so many other kinds of risk — relies on the idea that cyber risks are fundamentally no different from robberies or floods or car accidents or kidnappings in that they can be modeled and priced in their own comprehensive, stand-alone policies. This is not the case.
What differentiates cyber risk from other types of risk is not simply its scale, or how quickly it has evolved, or the complexity of computer networks, or the presence of determined and intelligent adversaries, or the uncertainty about how to mitigate these risks most effectively — though all of those characteristics undoubtedly do add to the considerable challenges of trying to craft cyberinsurance coverage. What makes cyber risk different is that it is not a single type of risk, that it extends to and interconnects nearly every other type of risk — from crime to liability to property and casualty losses — in ways so unpredictable and unprecedented that it is hard to imagine these actuarial complexities being captured simply by the collection of more data or use of more sophisticated modeling tools. These challenges of scale and interconnection echo, to some extent, the complexities that insurers have faced in covering growing environmental risks.
At least for the time being, there appears to be no shortage of insurers willing to sell cyberinsurance policies at affordable prices for businesses of all sizes. It’s not necessarily clear, however, that those policies actually cover the range of risks that policyholders believe or expect them to. Those unmet expectations are partly a function of the lack of standardized policy templates or clarity around exceptions, but they are also tied to the fact that, unlike environmental risks that correspond to a fairly clear and well-understood set of natural disasters, neither carriers nor policyholders are necessarily able to anticipate the kinds of cyber risks that will emerge even one or two years into the future.
Government interest in cyberinsurance has been predicated in large part on the notion that insurers will be able to reduce policyholders’ exposure to cyber risk. As early as 2011, the United States Department of Commerce Internet Policy Task Force referred to cybersecurity insurance as a potentially “effective, market-driven way of increasing cybersecurity.” The following year, the DHS speculated it could “help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures, encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection, and limiting the level of losses that companies face following a cyber attack.” Nearly a decade later, the only one of those goals that insurers seem even close to being able to achieve is that last one: limiting third-party losses, post-breach, by providing policyholders with immediate incident response resources and legal counsel. But while reducing the amount of data breach–related litigation may significantly decrease the costs associated with those breaches for the companies in question and, by extension, their insurers, it’s not clear that this actually increases cybersecurity for anyone, much less reduces the number of successful cyberattacks.
Nearly every challenge that insurers currently face in trying to model and price cyberinsurance reflects a problem they have encountered — and in many cases, solved — before, in the history of insurance. Selling car insurance required carriers to collect data about the evolving risks of a new and changing technology. To offer crime insurance, insurers had to take into consideration the actions of an intelligent adversary who can adapt to preventive countermeasures. Developing kidnapping and ransom policies meant dealing with the potential unintended consequences of making direct payments to criminals and thereby encouraging copycats. Designing terrorism coverage forced insurers to face the possibility of catastrophic, accumulated risk. What those types of insurance have in common — and do not share with cyberinsurance — is that they cover a coherent and relatively stable set of risks.
The task that falls to insurers in developing cyberinsurance, then, is not just to model and understand a new class of risk but also to remodel and rethink nearly every other existing class of risk they cover. No wonder they have gone to such lengths to try to exclude many cyber-related claims from their customers’ existing insurance and tried to shift as much cyber-related risk coverage as possible into isolated stand-alone cyber policies. That is the approach the insurance industry has taken with nearly every new set of risks it has expanded to cover. It allows carriers to continue to rely on their core business and products while exploring a new area, but at the same time it leaves them further entrenched in the idea that each of these classes of risk is distinct and distinguishable.
Looking ahead, cyber risks will only become increasingly intertwined with the existing classes of risks insurers cover. Autonomous vehicles will require carriers to rethink auto insurance, buildings furnished with Internet-connected heating and cooling systems, fire sprinklers, and security cameras will change property insurance. Devices that can constantly monitor users’ heart rates, activity levels, and other health indicators may similarly transform the field of health insurance. In some cases, these new technologies may enable insurers to monitor their policyholders more closely and require or recommend more stringent, high-tech safeguards against risks like car accidents, robberies, or heart attacks. But, inevitably, even as technologies like self-driving cars, security cameras with facial recognition capabilities, or health trackers may help reduce our exposure to some of these threats, they will also create new risks and introduce new avenues of attack via the complicated systems they connect to our cars, homes, and bodies.
Designing car insurance for autonomous vehicles won’t just require adjusting the existing models and policies, it will require radically reimagining them for a set of risks we know very little about, such as computer vision errors and vulnerabilities in car software systems. Beyond just trying to collect enough data to understand how frequently these types of risks occur and what their financial impacts are, insurers and policymakers will also have to rethink questions related to liability: who is responsible for car accidents that occur because of malicious software compromises or faulty machine-learning algorithms? The introduction of computers and computer networks to existing systems doesn’t just create new risks for those systems, it also introduces a new set of stakeholders and intermediaries who are involved in designing the relevant software and hardware, connecting those legacy systems to a larger network of computers, and then monitoring those connections to restrict malicious activity. All of these stakeholders, in addition to those who were already involved — the car manufacturer and the drivers, for instance — play a role in mitigating risks that are in some way connected to computers and are therefore important for thinking about effective and comprehensive liability regimes.
Insurers will probably look to the courts, and perhaps also to regulators, to help decide how these complicated liability issues will be resolved. But for there to be civil lawsuits about who is liable for autonomous vehicle accidents there first have to be enough such accidents for someone to sue, and it’s not clear that people will begin driving — or even selling — autonomous vehicles in any significant numbers until there is adequate insurance in place to protect them from liability. In other words, the typical cycle of insurers waiting for courts to dictate new liability regimes and then crafting policies to fit those regimes may not work for certain types of cyber risks associated with activities like driving where insurance is expected, if not required. If insurers are unable to get a handle on coverage for cyber risks of all varieties, that could significantly slow, or even prevent, the process of people and business beginning to adopt new technologies available to them.
Another concern is the possibility that emerging cyber risks will lead to a narrowing of insurance coverage rather than an expansion. Already, cyber-related losses are being explicitly excluded from many types of insurance but, for the most part, those exclusions are balanced by the development of new cyber risk policies that cover much of what is excluded from carriers’ other coverage. However, as they encounter new types of risk, insurers may decide there are some kinds of cyber risks they simply do not see themselves being able to cover.
It’s not surprising that insurers would look to excise cyber risks from non-cyber-specific policies and isolate them in stand-alone cyberinsurance policies in order to protect their existing core products from the uncertainty and unpredictability of cyber risk. But that isolation can also be counterproductive, for both carriers and their customers, when it gives credence to the idea that computer networks and data pose a distinct, definable set of risks that can be separated from the other categories of risk that insurers cover and policyholders face. Some cyber risks, like data breaches, AI algorithm errors, and online extortion, may in fact be so new and so unrelated to other, existing coverage that it makes sense for them to be covered in stand-alone policies, but as computer networks are increasingly embedded in existing physical infrastructure and systems, many — perhaps most — of the risks they present will belong under the same umbrella policies that already protect those domains.
This is what is most fundamentally new and different about cyber risk as compared to other types of risks that insurers have addressed in the past — not just that it can, at times, be more unpredictable or more catastrophic or more difficult to mitigate, but that it requires remodeling so many other categories of risks, in addition to creating a new class of insurance products for risks to entirely new kinds of infrastructure and operations. Insurers look to data collection to help shape their policies, but this is not a challenge that will diminish with time, as more data is collected and analyzed. Rather, it is a challenge that will only grow as computing technology continues to extend into new areas and applications. Moreover, part of the challenge of rethinking existing risk categories will involve acknowledging the increasing interconnectedness among them and the potential for a single attack to have significant impacts related to property damage, car accidents, liability, business interruption, data breaches, crime, and terrorism, simultaneously. In this regard, cyber risks may, in fact, render existing insurance risk categories more unpredictable, more catastrophic, and more difficult to mitigate than ever before.
As insurers continue to expand their cybersecurity coverage, they should also consider expanding the boundaries of how they define and conceptualize cyber risk within their organizational structures and underwriting categories. This means acknowledging the complicated and extensive connections between cyber risk and other coverage areas and crafting policies that recognize and reflect those connections. In the past, when a significant new type of risk has emerged, whether in the form of a novel type of legal liability or an innovative technology, the insurance sector has developed new products to cover those risks. When it comes to tackling cyber risk, however, the most important thing insurers can do is reinvent their old policies, rather than write new ones. Not all risks are cyber risks, but, increasingly, all types of risk have cyber components that insurers and their policyholders ignore or isolate at their peril.