Cyber security may be an oxymoron: most of us will end up victims of a digital hack at some point (if we haven’t already). So, it’s only natural that people want cyber insurance to help minimize the potential fall out of identity theft or a banking hack.
The U.S. Council of Economic Advisors estimated last year that hacking cost the U.S. economy between $57 billion and $109 billion in 2016. Just last year, hackers stole more than 1.2 billion passwords, which is a ticking time bomb for anyone who’s password was stolen and hasn’t yet changed it.
While the current market for personal cyber insurance is less than $500 million a year, re-insurer Swiss Re predicts the market could grow to $3 billion a year by 2025. The commercial market will be bigger, though it may be diluted by the fact that many companies also invest in parallel in their own information security staff.
However, previous estimates of the size of the cyber insurance market have been too optimistic. The simple fact is that insuring against information security risks is nothing like insuring against fires or floods, for which large datasets are available and whose probabilities tend not to change in unpredictable ways.
“In cyber that’s very difficult to do because no two incidents are alike,” Zurich Insurance cyber risk head Lori Bailey told Wired last year.
As a result, premiums for cyber insurance have climbed to incorporate unanticipated risks and payouts.
But they won’t take on every unanticipated risk: Zurich got out of paying Mondelez for damages related to the NotPetya cyber attack, by declaring that attack an act of war. Welcome to the eternal cyber war.