Cyberattacks cost more than natural disasters.
Cyberattacks cost the world more than natural disasters — $3 trillion in 2015, a price that may climb to $6 trillion annually by 2021 if present trends continue. But most people — and even most businesses — don’t have insurance to protect themselves against this rising threat.
Insurance against all kinds of risks — disease, disaster, legal liability, and more — is extremely common. In the US, companies, families, and even government agencies paid a combined $2.7 trillion in insurance premiums in 2016 — and received payouts totaling $1.5 trillion. But just $2.5 billion — 0.09 percent of the total spending — went to buy insurance against cyberattacks and hacking. Elsewhere in the world, there’s even less coverage. For instance, in 2017 the cyber insurance market in India was $27.9 million, 0.04 percent of the total insurance premiums paid in the country that year.
From my research on cybercrime and cybersecurity over the past two decades, it is clear to me that cyberattacks have become increasingly sophisticated. The cyber insurance market’s extremely small size suggests that organizations and individuals might have underrated its importance. However, more and more internet users are finding reason to protect themselves. In 10 years’ time, insurance coverage for cyberattacks could be standard for every homeowner.
Who Is Buying Cyber Insurance?
Certain types of companies tend to have — or not have — cyber insurance. The larger the firm and the more closely it depends on computerized data, the more likely it is to have coverage against digital threats.
For a company, that can make sense, because a digital intrusion can cost hundreds of thousands or even millions of dollars to fix and recover from. For individuals, the costs of a breach are lower, but still significant — even as high as $5,000.
Regular people are far less likely to have digital protection than companies are. In India, personal cyber insurance is less than 1 percent of the total cyber insurance market. In the US and elsewhere, most products are targeted at rich people. Insurers such as AIG, Chubb, Hartford Steam Boiler, and NAS Insurance sell personal cyber insurance policies as add-ons to homeowners’ and renters’ insurance.
The insurance industry is doing more, too. A wide range of insurers such as Munich Re, AIG’s CyberEdge, Saga Home Insurance, Burns & Wilcox, and Chubb all offer cyber insurance for individuals. These plans cover as much as $250,0000to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services, and efforts to undo identity theft.
Even health services may be included: AIG’s new product Family CyberEdge policy includes a coverage of one year of psychiatric services if a family member is victimized by cyberbullying. Also covered is lost salary if the victim loses a job within 60 days of discovering cyberbullying. Some insurers offer policies that provide help to assess policyholders’ data security practices and scan for cyber threats.
Another cybercrime that’s becoming increasingly common is called ransomware— in which malicious software takes over a person’s computer and encrypts his or her data. Then the program demands the victim pay a ransom — often in bitcoin or other cryptocurrencies — to get the data decrypted.
Some ransomware attackers don’t actually decrypt the data, even if they get paid — but that hasn’t stopped victims from paying big bucks — at least $1 billion in 2016 alone. Even so, there are insurers who sell coverage against ransomware, providing backup and decryption services — or even paying the ransom.