In the aftermath of the Equifax data breach[1] last year that exposed personal information of more than 145 million people, analysis firm Property Claim Services estimated[2] that cyberinsurance would cover roughly $125 million of Equifax’s losses from the incident. It’s uncertain whether Equifax will actually receive that much money; insurance claims can take a long time to investigate, process, and pay out. But it was a reminder of the increasingly important role insurance plays in cybersecurity—and the challenges of getting it right.
In 2016, the cyberinsurance market brought in around $3.5 billion in premiums globally, of which $3 billion came from US-based companies, according to[3] the Organisation for Economic Co-operation and Development. That’s not an enormous amount of money compared to other insurance markets; motor vehicle insurance premiums in the US, for instance, total more than $200 billion annually[4]. But cyberinsurance premiums have grown steadily at a rate of roughly 30 percent[5] every year for the past five years, in an industry unaccustomed to such spikes.
'The worst data is probably in cyberinsurance.'
Nick Economidis, Beazly Beazley PLC
With the European Union General Data Protection Regulation[6] poised to go into effect May 25, and firms of every size in every sector concerned about emerging online threats, insurance carriers see ample opportunity. But as the cyberinsurance market grows and those carriers take on responsibility for more computer-based risks, it becomes increasingly important that they model that risk and predict its outcomes accurately, a notoriously difficult task in the evolving and unpredictable domain of online threats.
Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20