When PricewaterhouseCoopers released a report in 2015 that predicted the cyber insurance industry would see premiums triple in five years and reach at least $7.5 billion by 2020, the rising threat of cyberattacks meant they would likely become more extreme.
The White House Council of Economic Advisers calculated earlier this year that cyberattacks cost the U.S. economy $109 billion in 2016 alone, linked to domestic and overseas activity. That statistic was released soon after a survey published from Microsoft and Marsh, which revealed cybersecurity is now the largest worry for the enterprise, with few feeling they are prepared to handle an attack.
As headlines from Wannacry and news of ransomware and malware losses continue to stream in, falling victim to a cyberattack may seem nearly inevitable. And it's this fear that has driven the cyber insurance market to balloon.
But it’s an industry that is difficult to get right, said Rotem Iram, CEO of industry company At-Bay. In a recent interview with PYMNTS, Iram pointed to remarks by Warren Buffett warning investors about cyber insurance.
"I don't think we or anybody else really knows what they're doing when writing cyber insurance," said Buffett at Berkshire Hathaway's annual meeting earlier this month. "We don't want to be a pioneer on this."
According to Buffett, the risk of a cyberattack means cyber insurance companies are faced with about a 2 percent chance of a catastrophic attack, with fallouts that would mean at least $400 billion in insured losses, according to Bloomberg reports.
"The core issue," explained Iram, "is that cyber-risk is highly dynamic, and there is a limit to how well historical data of old technology can predict future risk. If underwriters can't predict where security threats will come from, it's very hard to reward companies for their security posture today."
There are several reasons why cyber-risk is, as Iram puts it, "at odds" with the traditional business model of the insurance industry.
First, the notion of cyber-risk is relatively recent. "Traditional insurance models rely on decades of structured data to predict the future," he said. "With software, there is simply less reliable data to draw on."
Second, risks linked to cyberattacks are constantly, and quickly, changing. "Companies constantly adjust and reinvest their software," said Iram. "Vendors often upgrade old versions to fix bugs or add new functionality. Traditional insurance companies can't extrapolate a point-in-time assessment of risk across a year-long policy like they do in other contexts."
Third, risks linked to cyberattacks are, in a word, complex. Insurers are dealing with proprietary software of corporate policyholders that create their own technologies, meaning the possibilities and vulnerabilities are vast.
Lastly, Iram explained that this market comes with "invisible aggregation risk."
"Hurricanes are terrible events for home insurers, because many claims are filed at once from the same underlying event, or risk factor," he said. "This is why home insurance providers diversify their portfolios by insuring homes in many different geographies. For cyber, however, companies all around the world rely on similar technologies and infrastructure, and a cyber 'hurricane' could strike all across the world in an instant. Traditional insurance companies don’t have a mechanism for avoiding loss other than diversifying their portfolios."
But the cyber insurance market is growing, as more businesses believe they can crack the codes that Buffett doubts can be adequately solved. Investors recently put their faith in At-Bay: The company announced $13 million in Series A funding raised by Khosla Ventures, Lightspeed and Shlomo Kramer. The funds brought the total raised by the firm to $19 million, and will be used to focus on continued development of its cybersecurity monitoring service, as well as to roll out its insurance products, the company said.
According to Iram, At-Bay will cover up to $2 million in damages resulting from a cyberattack, more than is typical for this industry. That confidence comes from the company's reliance on technology to address cyber threats.
"While no company can completely eliminate human error, technology nonetheless plays a key role in keeping people from falling for hackers' schemes," he said. "Email technology in particular can keep users from seeing phishing emails in the first place, eliminating the vast majority of attacks."
Yet At-Bay, and the entire cyber insurance industry at large, will face hurdles as doubts persist over these insurance products' effectiveness.
"Insurance has failed to position itself as it should – the foundation of every company's risk management program," said Iram.
While cybersecurity technology is growing more sophisticated, the statistics (and headlines) make it clear that a cyberattack is a possibility for any company. Businesses that realize this, he added, are already one step ahead.
"We've seen that companies with the most mature security organizations are the most realistic about the inevitably of a cyber incident," Iram said. "Companies who are not looking for cyber insurance tend to underestimate their risk and exposure."