2016 was definitely the year of cyber insurance emergence. As large-scale attacks and disclosures of massive data-breaches were recurring, we realized once again that allocating tremendous efforts and resources to your cybersecurity defense does not provide any guarantee you won’t experience an incident.
Executives and security professionals are gradually accepting that it is not a matter of if but a matter of when their organization will be hit by a cyber-attack. With this understanding, many businesses acknowledge cyber insurance as an important tool in the multilayer cybersecurity defense approach and declare it is an essential part of their risk mitigation strategy.
See also: 10 Cyber Security Predictions for 2017
Here are some of my personal predictions for the cyber insurance market this year:
- An increasing number of security vendors will provide insurance guarantees. 2016 signaled a new path in the cybersecurity industry as few emerging startups started to offer a cyber insurance coverage of as much as $1 million per organization that will be fully covered with their defense solutions (e.g. SentinelOne and Cymmetria). I expect this trend to intensify through 2017, and well-established vendors will gradually follow to offer a bundle of protection plus insurance.
- We will see an increase in the number of insurance companies that will start to offer cybersecurity services. As cyber insurance is emerging and as many new insurance companies are entering the market (currently, approximately 70 insurers offer stand-alone cyber insurance products), there is a race for the best cybersecurity talent to assess the risks and provide pre- and post-breach services as monitoring, incident response, forensics, etc. In this atmosphere, insurers will acknowledge the revenues they can make from cyber insurance and adjacent security services to their clients, and will (and already do) expand their teams with the cybersecurity professionals and tools through aggressive hiring and M&As.
- Cyber extortion coverage will take the lead as the most demanded cyber insurance product. Ransomware is exploding across geographies, industries and all sizes of businesses. Following the massive distributed denial of service (DDoS) attacks on Krebs on Security and Dyn, the IoT world is open to a new world of DDoS attacks that no load balancer can mitigate. I expect that cyber extortion will become the biggest problem for organizations and individuals and that it will surpass data breaches as the main threat.
- Adoption of advanced tools for risk assessment will increase. There is a high demand for tools that will give insurers an accurate, scalable and affordable risk assessment that will streamline the entire (mainly manual) questionnaire-based risk quantification methodology that is the common practice today.
- New regulations will be introduced and will support the expansion of the cyber insurance market. There are high chances that more U.S. states will introduce regulations that support internal risk assessments on a regular basis of third party vendors and enforce security policies on organizations as suggested by the new NY proposal for the big financial institutes that was released last September.
- The penetration rate of cyber insurance among SMBs will be the driving force in the industry. As awareness of cyber-attacks increases among small- and medium-sized business, they'll realize that cyber insurance is an essential security tool, particularly because of their limited cybersecurity resources. I expect to witness higher percentages of the SMB segment that will purchase cyber insurance coverage, leading to an increase in total market size, as current estimates rely on low adoption rates in these segments.
- Insurers will introduce personal cyber insurance coverage. As ransomware becomes a threat to any operating system and any device, it is forecasted that it will gradually become a serious problem for individuals, as well, and will lead cyber insurance companies to offer personal cyber insurance coverage.
