Stories

Go deeper: Why investors care about cybersecurity insurance

Illustration shows umbrella blocking out mouse cursors as rain drops before blue background.
Illustration: Sarah Grillo/Axios

Cybersecurity insurance is getting a lot of attention from investors right now as more and more companies try to manage their increasing risks.

The trend: There will “absolutely” be consolidation in the cybersecurity insurance market, in particular for firms that assess the risk of companies seeking insurance, Ken Gonzalez, a managing director at investment firm NightDragon Security, tells Axios. And mergers and acquisitions could mean big pay-days for investors.

The likely acquirers will include traditional vulnerability management vendors, security services vendors, fintech companies, and insurance companies, Gonzalez, a partner at Momentum Cyber, a cybersecurity advisory firm, said.

By the numbers: Global premiums are expected to surpass $20 billion by 2025, according to Allianz. In the second quarter of 2018, U.S. cyber-insurance prices jumped by 2.1%, in part due to an increase in claims and coverage, per Marsh’s quarterly Global Insurance Market Index. But pricing was tempered last quarter due to competition among insurers.

  • 76% of U.S. executives today have some form of cybersecurity insurance, per Ovum and FICO. A year ago, 50% had none.
  • Five years ago, cybersecurity risk was ranked the 15th most important business risk, according to the Allianz Risk Barometer, based on a survey of global insurers and brokers. Now it is seen as the second most important.

Driving the market: “There have been very few major payouts against cyber-insurance policies, so for now, the cyber-insurance business looks pretty profitable relative to other areas of insurance," per Gonzalez.

  • For example, just this summer a bank in Virginia sued its insurance provider for not fully covering two cyber intrusions, per KrebsOnSecurity.
  • Yes, but: Gonzalez points out that a systemic cyberattack could instantly change how lucrative the market is.

The context: Cyber coverage has been around since the late 1990s and used to be bundled in some traditional insurance offerings, like liability, property, and crime insurance. But because cyberthreats are so complex, it became necessary to pull it out as standalone coverage.

What to watch: Cyber-insurance purchases spike in the aftermath of a prominent and expensive incident, per Marsh's index. The growth of cyber-insurance purchases is fastest for small-to-medium enterprises, per Trend Micro, a cybersecurity company.

  • A more structured regulatory environment could boost companies’ interest in obtaining cybersecurity insurance. All 50 states now have data breach notification laws. Europe’s new General Data Protection Regulation threatens massive fines for failure to keep data safe.

The other side: Skeptics say cybersecurity insurance might not go very far because almost no insurance policy is able to remedy the long term business consequences of reputation damage — which accounted for almost 89% of losses in one cyber incident in a Deloitte modeling.

The big picture: "There’s always going to be some tail of risk that a company will want to insure against.  You can’t buy enough security technology and services to prevent every attack. There’s unknown risk that you can’t even qualify," Gonzalez says.

Go deeper: The rise of cybersecurity insurance

Editor's note: This story has been updated to clarify the spike in purchase prices.