The Federal Trade Commission (FTC) and the National Association of Insurance Commissioners (NAIC) have issued guidance suggesting companies consider cyber insurance as a means of resilience against cyberattacks. While essential, merely suggesting cyber insurance isn’t enough. The government must ensure its availability and affordability, especially for small businesses. Businesses must also take other steps to prevent cyber-risks and keep policies affordable.
The digital age brings immense benefits, but with it comes increased cyber threats to businesses. The solution isn’t just insurance — it’s proactive cybersecurity.
Businesses should consider cyber insurance a risk management tool, but it’s not a comprehensive solution to all cybersecurity challenges. It also may be beyond some small businesses’ financial means, and the cost is increasing. According to NAIC, cyber-insurance premiums grew 61% in 2021 alone, when the average annual cost for cyber insurance for a business with $1 million in revenue to have $1 million in coverage (with a $10,000 deductible) was $1,485. The prices have since increased, and some businesses find insurers unwilling to renew policies or even cancelling them.
Even for businesses that can get — and afford — cyber insurance, it isn’t comprehensive and doesn’t cover every possible type of security breach. Instead, policies cover a set of named perils. An inexperienced buyer may not realize the protection limitations, given the variety of coverages, exceptions, and exclusions in policies. Policies, for example, may not cover cyber terrorism, state-sponsored attacks, contractual liabilities, or intellectual property infringement, and may have exclusions for war, terrorism, bodily injury, and property damage. Policies may also have deductibles, co-payments, and sublimits that reduce the amount of coverage.
How Agencies Can Help
A recommendation to invest in cyber insurance is excellent, even if it doesn’t protect against all threats. However, businesses must be able to afford and obtain it to follow the recommendation. Agencies can increase and expedite cyber-insurance adoption — and general business cyber protection — by implementing a holistic approach that supports businesses’ use of proactive cybersecurity measures, provides education, and encourages industry and policy cost subsidization.
The cyber-insurance market lacks standardization, with companies offering policies that cannot be readily compared. This creates challenges for consumers and brokers alike when trying to evaluate policies. A standardized format for presenting policies, perhaps patterned on the 100/300/100 approach used for auto insurance or the energy facts labels used on appliances, could aid consumers in making informed purchase decisions. Agencies can offer incentives to encourage industry self-regulation to promote consistent policy presentation and clarity. This can benefit insurers, underwriters, brokers, and policyholders alike.
Government Should Subsidize Cyber Insurance
The government can also aid in cyber-insurance uptake through targeted subsidization. Uninsured businesses create harms that are transferred to the public if they fail after an incident. Companies are also faced with threats from state actors and state-affiliated attackers, which are, rightly, costs borne by the government. Agencies can promote cyber insurance and offer incentives, such as tax credits, for purchasing it. Federal and state governments can aid in policy affordability by creating a backstop fund to cover catastrophic cyber-incident costs, which may cause insurers to fail, and incidents attributable to state actors and state-affiliated attackers. State-backed models exist for other catastrophic risks, like hurricanes and floods. The federal government has also provided airlines with terrorism coverage after incidents.
Government outreach to businesses can help them understand the importance and implementation of good cybersecurity practices. This will help keep losses and, in turn, policy premiums low. It also prevents incidents from occurring, benefiting society at large.
Regulators can increase market efficiency by ensuring policies provide the implied coverage. Existing fair-trading authorities can be leveraged to this end. Common policy benefits presentation, and ensuring its accurate translation into policy language facilitates competition and reduces the effort required to compare and purchase policies. Agencies can enable this by developing curriculum and licensing practices targeted at cyber-insurance providers and resellers.
Government agencies can aid insurance uptake through targeted actions and provide public benefit. Implementing these actions should be a top priority for relevant agencies.