Cybersecurity and identity theft coverage: The state of the industry
Insurers report cyber insurance data to NAIC
Annual information about the U.S. cyber insurance market has been hard to come by until now, but new reporting requirements developed by the National Association of Insurance Commissioners (NAIC) now enable insurers to better track cyber insurance policies issued in the marketplace.
This preliminary analysis of the data, as reported on the Cybersecurity and Identity Theft Coverage Supplement for insurer financial statements, gives us an understanding of the size and shape of a rapidly growing market.
For the year ended December 31, 2015, direct written premiums in the U.S. cyber insurance market totaled $1.2 billion, based on data reported to the NAIC as of April 25, 2016, and sourced from S&P Global Market Intelligence.
Two types of coverage are included in the supplement: cybersecurity and identity theft, so totals are for the combined market. Cyber policies generally cover commercial risks. Identity theft is a personal lines coverage that addresses the risk that an individual’s identity is stolen.
The data was gathered from U.S. property/casualty insurers writing cyber liability coverage nationwide only. Since a significant amount of cybersecurity insurance is written via Lloyd’s and other international insurance markets, it is likely that actual U.S. premiums are considerably higher than $1.2 billion.
Both stand-alone coverage and packaged policies are included in the data request. Packaged policies are cybersecurity and ID theft policies that may be included as part of a commercial multi-peril package; stand-alone policies offer specialized cyber risk coverage that is tailored to the individual needs of a company.
The types of losses and liabilities that cyber risk policies may cover include: damage to, and/or destruction of, valuable information assets due to viruses, malicious code; expenses and legal liability resulting from a data breach including defense costs, settlements and judgments; regulatory investigations, fines and penalties; business interruption resulting from an attack that disables company operations; losses arising from an extortion threat against a company’s network; and expenses incurred as a result of an identity theft, such as providing access to identity theft call centers.
Of the total $1.2 billion in direct written premiums in the U.S. cyber market (cybersecurity and ID theft) in 2015, packaged policies accounted for $733.3 million, or 59 percent, making up slightly more of the combined market. Stand-alone coverage accounted for $501.9 million, or 41 percent.
The total number of policies in force in the U.S. cyber insurance market amounted to 18.5 million in 2015.
Packaged policies made up the majority of total combined policies in force, accounting for 97 percent (almost 18 million policies), while just 3 percent (561,182) were stand-alone policies.
If the U.S. cybersecurity business being written via international markets were included in this data, the number of stand-alone policies for cyber risks would probably account for a greater proportion of the overall market.
By type of coverage, cybersecurity insurance accounted for 81 percent of the combined cyber/ID theft market with $995.8 million in direct premiums written in 2015. Packaged cybersecurity policies accounted for $515.1 million, or 42 percent, of the combined market, while standalone cybersecurity policies accounted for $480.7 million, or 39 percent.
In contrast, ID theft accounted for 19 percent of the combined market, with $239.4 million in direct premiums written in 2015. Packaged ID theft policies accounted for $218.2 million in direct premiums written in 2015, or 17 percent of the combined market, while standalone ID theft policies accounted for $21.2 million, or 2 percent.
However, by far the majority of combined policies in force were ID theft coverage, reflecting the greater volume of policies issued in this line of business.
Some 17 million ID theft policies were in force in 2015, accounting for 92 percent of the combined market, while the number of in-force cybersecurity policies totaled 1.5 million, making up just 8 percent of the market.
While cybersecurity business accounts for a small slice of the combined market based on the number of in-force policies, it represents four times the value of the ID theft market ($995.8 million vs. $239.4 million) by direct premiums written in 2015.
This is a reflection of the higher values at stake in cybersecurity insurance policies, which are more frequently purchased by medium- to large-sized corporations with cyber risk needs that require tailored solutions. By contrast, ID theft is a high volume, small premium business.
Both lines seem likely to grow as the world becomes more interconnected via the Internet