Cyber-risk coverage worldwide is about $US150 billion ($194.33 billion), with a take-up rate across all industries of about 16%, according to a new report by Standard & Poor’s (S&P) that cites estimates from Marsh.
“The cost of cyber insurance relative to the limit purchased is roughly three times that of general liability insurance, reflecting the degree of uncertainty around risk and how it should be priced,” the ratings agency says.
Cyber crime costs the global economy about $US400 billion ($518.13 billion) a year.
For corporates, this implies significant “event risk” in terms of revenue, profitability, debt levels, intellectual property and reputation.
S&P says the cyber-insurance market is still relatively new. Cover is provided mainly from the US and, to a lesser extent, the UK through Lloyd’s.
Intellectual property (IP) theft and industrial espionage, including loss of sensitive competition data and details of prospective mergers, mainly affect industries with high-value technology such as aerospace and defence, IT hardware, software and pharmaceuticals. A UK report shows the costs to companies of IP theft are significantly greater than for other cyber crimes.
The Association of British Insurers says despite 90% of large UK businesses suffering a cyber-security breach in the past year, only about 10% have cyber insurance.
Many CEOs believe they are covered for cyber risk when they are not, with 39% in large UK businesses thinking they are protected.
Take-up rates in the US are higher, but covered companies are still a minority.
“If these figures offer any kind of benchmark, the direct impact on profitability of precautionary measures is currently relatively small but growing,” the S&P report says.
While precautionary costs are likely to continue to rise, given the growing frequency of attacks and demand for policies, S&P says they are unlikely to significantly affect ratings.
The agency has yet to take credit action specifically linked to cyber risks.
availability of cover be restricted for smaller, vulnerable companies if financially damaging attacks grow.
Some companies or industries may be deemed uninsurable if attacks are severe and frequent.
Following denial-of-service attacks on the US financial sector in 2012/13, investment and banking giant JP Morgan announced plans for annual cyber-security spending of $US250 million ($323.77 million) by the end of last year.
After the company was directly attacked last year, it said spending will increase 80% in two years.