American International Group (AIG) has recently begun offering personal cyber security insurance plans to individuals. The company appears to be riding a wave of individuals’ fears about losing online data or having their bank accounts emptied, and should find success with wealthier customers who have a lot to lose. But it remains to be seen whether ordinary consumers will come to regard cyber security insurance as a necessary expense.
In targeting consumers instead of just business customers, AIG is following in the steps of companies such as LifeLock, which provides identity theft protection. The danger of identity theft and the need for protection from this risk took many years to penetrate consumer decision-making. Years of news media coverage of these dangers, along with personal experiences of identity theft, eventually educated the public and made LifeLock a household name.
Companies offering personal cyber security insurance will benefit once the public values cyber security as much as it does identity security. They may not have to wait long. Consumer cyber risk awareness is increasing amid the steady drumbeat of news coverage of data breaches. Untold ink and pixels were splashed on pages and screens during last year’s U.S. presidential election, as stories of the content of Hillary Clinton campaign chairman John Podesta’s email inbox at times dominated the news cycle.
Yet cyber insurance companies are likely to face challenges in achieving mainstream adoption of their products. First, the initial consumers who would make up the risk pool for companies entering the personal cyber security insurance marketplace are likely to be politicians and other public figures—a limited population. In addition, this group has many and diverse online assets to protect, which presents serious challenges to traditional methods of measuring and pricing risks for insurance companies looking to enter this new market. The unanticipated consequences of a personal email breach can run the gamut, from minor transgressions such as hackers forwarding spam messages from your email account to potentially changing the outcome of a presidential election.
Furthermore, the responsibility for cyber attacks on higher-ups in corporations and government could get murky. Since these employees regularly require access to highly sensitive corporate and government data, some are likely to request that their employers consider personal cyber security insurance as a necessary organizational security expense.
Another problem for companies offering personal cyber security insurance is that consumers may be putting themselves at more risk than insurers can accurately anticipate. This is due to what is known as the “privacy paradox.” Consumers place a high priority on the protection of their privacy, but their actual behavior on information-sharing platforms like Facebook and Instagram runs counter to this. For market researchers gauging probable policy issuance rates and monthly premiums, such gaps between intentions and behavior can be confusing and perilous.
Further complicating matters, unlike homeowners’ insurance or auto insurance, consumers are not legally required to purchase cyber security insurance. As a discretionary expense to protect against a form of risk that can be very difficult to anticipate properly, this kind of insurance policy might quickly be canceled if a family budget were pinched.
Despite these challenges, AIG might have a shot at profiting from its new venture. Ideally, a new insurance product is allowed time to build a history of premium payments and policy claims. Companies that began issuing cyber security insurance policies years ago now have such data stores on hand, and have used these to improve their protection methods and pricing models. A massive company like AIG can afford to accept high loss rates in the early years as it accumulates this data. On the other hand, venture capital investors may not be as patient with a startup competing in this space.
AIG is currently targeting the wealthy, a group with plenty to protect. When combined with the company’s relative length of experience in measuring and pricing cyber security risks, it appears to be taking the right approach to entering this budding market. The question for the future is just how far down the income ladder cyber security insurance companies will need to go to find a viable, sustainable customer base.
Samuel C. Thompson is an assistant professor of information systems at the Collat School of Business at the University of Alabama at Birmingham.
