Cyber insurance holds potential as a tool to encourage firms – especially those with sensitive data like cloud computing companies – to better manage and mitigate their cybersecurity risks. The upside of issuing cyber policies for insurers would be more predictable losses from cybersecurity harms, chief among them ransomware.¹Loretta Mastroeni, Alessandro Mazzoccoli, and Maurizio Naldi, “Cyber Insurance Premium Setting for Multi-Site Companies under Risk Correlation,”Risks 11 (10) (2023), https://www.mdpi.com/2227-9091/11/10/167;  “Cyber Insurance: Risks and Trends 2024,” Munich RE, April 4, 2024, https://www.munichre.com/en/insights/cyber/cyber-insurance-risks-and-trends-2024.html. Limiting this potential, however, is a structural inefficiency in the insurance market: insufficient historical cyber incident and claims data impede insurers as they seek to predict and price cyber risks.²Neeraj Kaushik, “Risks, Trends, Challenges for Cyber Insurance,” Insurance Though Leadership, January 25, 2024, https://www.insurancethoughtleadership.com/cyber/risks-trends-challenges-cyber-insurance. There are many other factors that affect pricing (including vague policy language and the potential for catastrophic loss events) but the lack of historical incident and claims data has been identified by the industry for years as the chief roadblock to effective cyber insurance.³“Assessment of the Cyber Insurance Market,” CISA, December 21, 2018, https://www.cisa.gov/sites/default/files/publications/20_0210_cisa_oce_cyber_insurance_market_assessment.pdf; Jamie MacColl, Jason R C Nurse, and James Sullivan, “Cyber Insurance and the Cyber Security Challenge,” RUSI, June 2021, https://static.rusi.org/247-op-cyber-insurance-fwv.pdf; Dan Garcia, “Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability,” GAO, July 19, 2022, https://www.gao.gov/blog/rising-cyberthreats-increase-cyber-insurance-premiums-while-reducing-availability.

These pricing challenges also come amidst a dynamic cyber insurance market. A report by Howden, a global insurance broker, estimates that “the market could still be on course to achieve a premium base of close to USD 40 billion by the end of the decade,” nearly double its current level in 2024. “Cyber insurance entering a new phase of development as non-US territories set to capture 54% of growth up to 2030, according to new Howden report,”⁴Howden, July 1, 2024, https://www.howdengroupholdings.com/news/cyber-insurance-entering-a-new-phase-of-development-as-non-us-territories-set-to-capture-54-of-growth-up-to-2030?ref=news.risky.biz. Despite these rising premiums, the demand for cyber insurance is also increasing. ⁵Garcia, “Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability.” A US Government Accountability Office (GAO) report found that corporate insurance clients opting for cyber coverage grew from 26 percent in 2016 to 47 percent in 2020.⁶ Garcia, “Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability.” According to Indian market research firm Fortune Business Insights, this number is projected to increase at a compound annual growth rate of 24.5 percent from 2024 to 2030.⁷“Cyber Insurance Market to Grow at 24.5% CAGR from 2024 to 2032; Cowbell Inked Collaboration with Millennial Shift Technologies to Strengthen Industry Position,” Fortune Business Insights, April 27, 2023, https://www.fortunebusinessinsights.com/press-release/global-cyber-insurance-market-10725.

Cyber insurance itself can also drive improved cybersecurity practices in the private sector as providers have significant discretion to select customers for coverage based on their cybersecurity posture, which can effectively force firms to adhere to common standards.⁸Richard S. Betterley, “Cyber/Privacy Insurance Market Survey – 2015,” Betterley Risk Consultants, June 2015, http://betterley.com/samples/cpims15_nt.pdf; Limit, “Cyber Insurance is Becoming More Expensive,” Coverager, September 20, 2022, https://coverager.com/cyber-insurance-is-becoming-more-expensive/. This benefit of cyber insurance catalyzing good cyber practices is not new; in a submission to the Obama administration, the Internet Security Alliance noted that the standards of cybersecurity cyber-insurers employ could help to improve cybersecurity.⁹Larry Clinton, “Cyber-Insurance Metrics and Impact on Cyber-Security”, Internet Society Alliance, https://obamawhitehouse.archives.gov/files/documents/cyber/ISA%20-%20Cyber-Insurance%20Metrics%20and%20Impact%20on%20Cyber-Security.pdf. The Royal United Services Institute has also evaluated the role of cyber insurance in incentivizing better cyber security practices in claimants, finding insurance allows for the consistent enforcement of minimum-security standards in industries and sectors where little to none may exist.¹⁰Trey Herr, “Cyber insurance and private governance: The enforcement power of markets,” Regulation & Governance 15 (1) (2019), https://doi.org/10.1111/rego.12266.

The challenge with an emerging insurance market such as cyber insurance is that widespread adoption is an important prerequisite to providing benefits and collectivizing risk. Excessive premiums might drive customers away, but pricing too low or providing insufficient coverage risks unsustainable losses, pushing insurers out of the cyber market.¹¹“Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market,” GAO, May 2021, https://www.gao.gov/assets/gao-21-477.pdf. Cyber insurance premiums are based on predictive risk models that take historical cyber incident loss data as an input.¹²“Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market.” Insurers could simply use this improved data to fine-tune their predictive risk models and pad their margins, but more competitive pricing could benefit insurers relative to competitors as well as open up new segments of the cyber insurable market.

To address this data deficiency in the market, the US Cybersecurity and Infrastructure Security Agency (CISA) should encourage the private sector to aggregate anonymized historical cyber incident data to a centralized public repository so that insurers can improve their risk models and price premiums more accurately. This could yield more accurate cyber insurance premiums and expand the number of policyholders over which insurers can enforce a set of cybersecurity standards.

Alphaeus Hanson is an assistant director with the Cyber Statecraft Initiative, part of the the Atlantic Council Tech Programs. Hanson studies the decision-making of technology companies around risk and geopolitics, including the interaction between insurance companies and capital markets. Prior to joining the Council, Hanson was an analyst at Krebs Stamos Group (KSG).