Do people need insurance against hacking?
Cyberattacks cost the world more than natural disasters – US$3 trillion in 2015, a price that may climb to $6 trillion annually by 2021 if present trends continue. But most people – and even most businesses – don’t have insurance to protect themselves against this rising threat.
Insurance against all kinds of risks – disease, disaster, legal liability and more – is extremely common. In the U.S., companies, families and even government agencies paid a combined $2.7 trillion in insurance premiums in 2016 – and received payouts totaling $1.5 trillion. But just $2.5 billion – 0.09 percent of the total spending – went to buy insurance against cyberattacks and hacking. Elsewhere in the world, there’s even less coverage. For instance, in 2017 the cyberinsurance market in India was $27.9 million, 0.04 percent of the total insurance premiums paid in the country that year.
From my research on cybercrime and cybersecurity over the past two decades, it is clear to me that cyberattacks have become increasingly sophisticated. The cyberinsurance market’s extremely small size suggests that organizations and individuals might have underrated its importance. However, more and more internet users are finding reason to protect themselves. In 10 years’ time, insurance coverage for cyberattacks could be standard for every homeowner.
Certain types of companies tend to have – or not have – cyberinsurance. The larger the firm and the more closely it depends on computerized data, the more likely it is to have coverage against digital threats.
For a company, that can make sense, because a digital intrusion can cost hundreds of thousands or even millions of dollars to fix and recover from. For individuals, the costs of a breach are lower, but still significant – even as high as $5,000.
Regular people are far less likely to have digital protection than companies are. In India, personal cyberinsurance is less than 1 percent of the total cyberinsurance market. In the U.S. and elsewhere, most products are targeted at rich people. Insurers such as AIG, Chubb, Hartford Steam Boiler and NAS Insurance sell personal cyberinsurance policies as add-ons to homeowners’ and renters’ insurance.
The insurance industry is doing more, too. A wide range of insurers such as Munich Re, AIG’s CyberEdge, Saga Home Insurance, Burns & Wilcox and Chubb all offer cyberinsurance for individuals. These plans cover as much as $250,0000 to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services and efforts to undo identity theft.
Even health services may be included: AIG’s new product Family CyberEdge policy includes a coverage of one year of psychiatric services if a family member is victimized by cyberbullying. Also covered is lost salary if the victim loses a job within 60 days of discovering cyberbullying. Some insurers offer policies that provide help to assess policyholders’ data security practices and scan for cyberthreats.
Another cybercrime that’s becoming increasingly common is called ransomware – in which malicious software takes over a person’s computer and encrypts his or her data. Then the program demands the victim pay a ransom – often in bitcoin or other cryptocurrencies – to get the data decrypted.
Some ransomware attackers don’t actually decrypt the data, even if they get paid – but that hasn’t stopped victims from paying big bucks – at least $1 billion in 2016 alone. Even so, there are insurers who sell coverage against ransomware, providing backup and decryption services – or even paying the ransom.
As smart home systems become more popular – as well as various technologies to monitor and help coordinate local government services – they’ll provide more potential entry points for hackers. An average home insured by AIG has 20 Wi-Fi-enabled devices. Replacing a hijacked home’s entire smart lighting system, smart entertainment center, thermostat and digital security devices will be expensive – and the bill will only be higher for communities using internet-connected streetlights, water meters, electric cars and traffic controls. Those are opportunities for insurance companies to step in.
Before cyberinsurance becomes more common, however, the insurance industry will likely have to come to some consensus about what will and won’t be covered. At the moment each plan differs substantially – so customers must conduct a detailed assessment of their own risks to figure out what to buy. Few people know enough to be truly informed customers. Even insurance brokers don’t know enough about cyberrisks to usefully help their clients.
In addition, because cybercrime is relatively new, insurers do not have much data on how much various types of cybersecurity problems can cost to fix or recover from. They therefore tend to be conservative and overcharge.
As people become better-informed about the digital dangers in their lives, and as insurance companies are able to more clearly explain – and more accurately price – their coverage options, the cyberinsurance market will grow and may expand rapidly. In the meantime, most policies have some degree of custom design, so consumers should be careful to look for policies that actually cover their needs, and not just evaluate plans based on cost.