By: Liberty Mutual Insurance | October 2, 2023
Patrick Thielen, Global Head of Cyber, Liberty Mutual Insurance
The cyber insurance market may reach close to $100 billion by 2030. An increasing reliance on technology and a growing industry of cybercriminals are the driving factors.
In the near future, the insurance industry might just see the abbreviation “P&C” become “PC&C” — property, casualty and cyber.
Experts predict the market will double from $15 billion to more than $30 billion over the next five years, and it could reach close to $100 billion by 2030. Once purchased primarily by large enterprises in the U.S. and Europe, cyber insurance is now becoming a must-have investment for companies of all sizes.
It’s becoming more common for all businesses, across all industries, continents, and sizes — even down to sole proprietorships and main-street types of businesses — to buy cyber insurance,” said Patrick Thielen, Global Head of Cyber, Liberty Mutual Insurance.
As cyber risks continue to evolve, companies will turn to the market to meet their cyber insurance needs and offer proactive risk management solutions. Cyber insurers partner with clients to offer a broad range of cyber risk management, underwriting, and incident response capabilities.
From Data Breaches to a Trillion-Dollar Criminal Enterprise
The cyber market has seen such explosive growth in part because of the fact that digital exposures are more ubiquitous than ever. About twenty years ago toward the end of the dot-com era, the cyber insurance market grew because bank and tech industry leaders were asking their brokers and insurers for bespoke “digital risk” coverages, typically attached to more traditional policies like property, D&O or E&O. Now, it’s a risk every company contends with. Moreover, cyber risk follows employees from work to their homes and seeps into our private lives.
“Most people know somebody who has had a cyber incident. Whether it’s identity theft or a ransomware incident, they’ve been personally impacted by cyber risk,” Thielen said.
Over the past 20 years, exposures have evolved rapidly. First, there were data breaches, then ransomware and business email compromise became commonplace. Now, in addition to those continued threats, companies are contending with data privacy regulations like the EU’s General Data Protection Regulation or the California Consumer Privacy Act. These government regulations are turning cyber exposure from a point-in-time concern following data breaches, into a constant operational risk that pertains to many dimensions of how firms collect, use, and manage the data of others within their businesses.
Cybercriminals are well aware of how critical digital technologies are becoming in the business world, and they’re ready to exploit any vulnerabilities. Hackers are forming organized and specialized groups, using digitization, automation, and sophisticated supply chains with structures not unlike those of the companies they’re attacking.
“People might view a hacker as being a loner, sitting in their basement, wearing a hoodie, doing an attack themselves,” Thielen said. “It’s probably more accurate to think about hackers just as serious businesspeople, typically operating in countries where that’s their best economic opportunity.”
A number of countries have become safe harbors for these criminal enterprises, enabling them to grow further and attack more businesses. “Cyber crime organizations have been given de facto impunity to operate without fear of law enforcement in many countries around the world,” Thielen said.
While there’s consensus about the rising stakes of cyber across the insurance industry, there’s also been a notable lack of a true cyber CAT event — a single attack that affects a wide swath of insureds with severe loss impact. A 2023 report from Conning found that a $30 billion insured cyber loss could result in an industry-wide loss of around 210% of annual premium.
“Modeling any risk can be challenging, but cyber risk is particularly difficult due to its constantly-evolving nature. The peril is human beings, with various and changing motivations, tools, capabilities, and creativity. Their target is also a constantly-evolving and expanding attack surface—which just means the global collection of potentially attackable firms, networks, technologies, and vulnerabilities,” said Thielen.
“With risks accelerating on all sides of the cyber landscape, companies need to keep pace. A lot of folks think about cyber defense as technology, and that’s part of it, but an even more important way of thinking about cyber risk is around an organization’s cyber philosophy. That means, training and resources. That means partnerships and planning. It means operational redundancies and organizational resiliency. In short, it means taking it seriously at a board level, and respecting cyber risk management as a critical source of value.”
“It’s becoming more common for all businesses, across all industries, continents, and sizes — even down to sole proprietorships and main-street types of businesses — to buy cyber insurance.”
— Patrick Thielen, Global Head of Cyber, Liberty Mutual Insurance
Expanding Risk Control into the Cyber Space
Companies are getting better at backing up their data, preparing for cyber events by conducting tabletop drills and empowering chief information security officers (CISOs) to help guide their businesses through loss-prevention strategies.
“Companies are doing a better job, generally, of backing their critical systems up,” Thielen said. “Five or 10 years ago, it was very common for companies to pay if cybercriminals encrypted their critical systems.”
And yet, when companies improve their defenses, cybercriminals develop new strategies. “A lot of the same tools that are used by good guys to perform defensive activities are then used by bad guys to either reverse engineer the defenses or use those same tools for offense,” Thielen said. Case in point: When companies started backing up their data, hackers didn’t just stop at encrypting it and locking the systems. They started threatening to leak the data, attack a business’s clients, or go after their executives — tactics known as double and triple extortion.
Human error, too, remains a weak spot and is still the leading loss driver in the industry. “You can have the best controls and the best cybersecurity program in the world, but if you have human beings working for you, then there are ways for attackers to get in,” Thielen said. “That’s why phishing, vishing, smishing, social engineering, and many other forms of deceit have continued to be very common strategies for attackers to gain initial access into a targeted network.”
“This is the benefit of experience. At Liberty Mutual, we’ve been writing this business for over 15 years, originally as Ironshore, so we understand these kinds of loss events and what kind of protocols make sense. While the specifics of the technology may change, the themes and protocols can remain remarkably similar.
“I see a lot of organizations get really spooked when you start talking about cyber risks and that’s fair because the stakes are high because practically everything is digital. But I think they take a lot of comfort in talking to us because we can help them proactively plan and train. We know where small changes can make the biggest impact, and we know what to do in the event of a loss—because we’ve probably seen similar incidents in the past.”
Cyber risk management strategies can help mitigate the likelihood of falling victim to an attack; but they can also be a form of legal defense in the aftermath of an attack: “It’s harder to argue that your company was negligent just because you suffered an event. If you deployed the same best practices as your peers in the industry, that could meet that threshold of reasonableness from a risk management perspective,” Thielen said.
Cyber Insurance Carriers: A Critical Source of Knowledge
Tabletop drills, CISOs, employee cybersecurity training, and other risk control practices are important for companies looking to stay on top of evolving digital exposures.
“We know this is a pain point for a lot of clients and we continue to invest in our cyber capabilities to help them manage this rapidly changing risk,” whether that means providing risk control resources, packaging cyber policies with other lines of insurance, or offering stand-alone primary and excess coverage through retail and wholesale channels.
The company’s growing cyber team includes risk engineers, cyber actuaries, and other experts.
“I’m excited about the future of cyber insurance at Liberty Mutual. We are committed to bringing all of the firm’s organizational capabilities to bear, and remain an industry leader in this space,” Thielen said. “We’ve got a history of insuring cyber risk, and we’re also one of the largest P&C insurance companies in the world. We’ve got offices in 29 countries. We continue to invest directly into our cyber risk capabilities. We’ve got a really broad set of products and services to meet the current and future needs of our policyholders.”