The message about the need to take cyber risk and insurance seriously is getting through to companies and boardrooms.
"As risk awareness has grown, more organizations, particularly those focused on their business interruption risk, are turning to the cyber insurance market for protection," according to Tom Reagan, U.S. Cyber Practice Leader for global insurance broker Marsh.
Marsh issued a new report on the cyber market, More Cyber Insurance Buyers as Awareness Grows.
Cyber insurance pricing remains competitive; average pricing for cyber insurance coverage fell by 0.6% in the fourth quarter of 2018. Insurers also continue to provide more coverage in exchange for premium, although this trend may not continue indefinitely, according to Marsh.
The estimated cyber insurance market increased to $1.8 billion in 2018, three times what it was in 2015, the report says.
Reagan said Marsh's experience shows that the overall number of U.S. purchasers has doubled over the past five years, while policy limits for existing buyers are also growing "as the economic impact of cyber events becomes increasingly clear."
Furthermore, this client demand is being matched by "strong carrier appetite" for cyber risk, which Marsh expects to result in stable pricing and expanding coverage for 2019.
Some findings from the Marsh report:
- Over the past five years, the number of all Marsh U.S. clients buying cyber insurance has doubled to 38% in 2018 from 19% in 2014.
- That growth is evidenced across all key industries, which saw an average standalone cyber insurance purchase rate of 15% since 2016.
- In 2018, cyber insurance purchases grew the most among hospitality and gaming (67%) and education (34%) organizations.
- Cyber policy limits grew in 2018, with average limits purchased by all companies rising 11% to $20.9 million.
- Among companies with more than $1 billion in revenues, average limits purchased increased by more than 25% in 2018, to $62.4 million.
According to the report, the leading buyers of cyber insurance in 2018 were organizations in industries that make significant use of personally identifiable information (PII) and protected health information (PHI), primary sources of cyber risk for businesses. These buyers include the education and health care industries, followed by hospitality and gaming.
At the same time, other industries have also begun purchasing cyber as insurers have indicated they are no longer willing to provide coverage for business interruption caused by network intrusions. "Those losses are increasingly expected to be covered under cyber policies, which have expanded to respond to a wide variety of potential risks while still being competitively priced," the Marsh analysis notes.
Another key factor in the message getting through: the damage done by 2017 WannaCry and notPetya malware attacks, along with more recent ransomware incidents. These have "made clear that cyber threats have evolved from data breach and theft to now include business interruption and supply chain disruption" and more organizations including manufacturers, power and utilities companies are now purchasing cyber insurance.