Brace yourselves: Global cyber insurance demand is coming

While cyber liability insurance is one of the fastest growing type of products in the industry, the majority of growth has come from US, but that is about to change.

Brace yourselves: Global cyber insurance demand is coming

The US – where the regulation resides


The most plausible explanation for the rapid rise of cyber liability insurance in the US — and not elsewhere — is that individual states (well, at least 48 of them) and the federal government have been at the forefront of privacy legislation by enacting strict data breach notification statutes.


The effect of this legislation is multi-faceted, but naturally involves business cost. First, because many of these laws follow the states of residence of the affected individuals as opposed to the location of the breach or the breached entity, an incident affecting a large enough population will likely require an analysis of each of these laws, many of which have different definitions as to what exactly constitutes a breach requiring notification, and varying requirements as to the method, timeliness, and wording of the notification. Second, to the extent legal counsel determines that notification is indeed required, the organisation will incur the cost of transmitting the notice (usually by regular mail), and often, depending on the type of information compromised, the notice will include credit/identity theft monitoring and fraud resolution services. Finally, to the extent any regulators take an interest in the incident, there is a risk of a fine or penalty being assessed. Recent examples include an $18.5m (£14.4m) settlement between a retailer and 47 states and the District of Columbia, and a $5.55m settlement between a health system and the Department of Health & Human Services Office for Civil Rights.


The new frontier


Outside the US, and without the regulation-driven costs, there has understandably been less of an interest and/or perceived need for cyber liability insurance. But that lack of demand appears to be dissipating rapidly. What’s changed? For starters, there has been an evolution in both the manner and purpose of cyber attacks, most notably ransomware. According to security firm SonicWall’s 2017 Annual Threat Report, ransomware use grew 167 times year over year, as the 3.8 million attack attempts in 2015 rose to 638 million in 2016. Hackers have concluded that instead of spending a great deal of time attempting to infiltrate a targeted organisation’s network through a backdoor security hole, it’s easier to trick one of the organisation’s employees into opening the front door. What’s more, according to Symantec’s 2017 Internet Security Threat Report, the average ransomware extortion demand rose to $1,077 in 2016, up from $294 in 2015, and those numbers are expected to rise as attackers shift their focus from individual consumers to businesses.

Source: WLTW


In June, a cloud services provider had 150 of its servers encrypted, resulting in outages to the sites of more than 3,400 of its business customers. The ransom demand was purportedly negotiated down from an initial demand of over $4m to approximately $1m (a record amount — for now — in terms of publicly reported ransomware payments). What is so noteworthy about this particular demand is not so much the amount, but the way in which it was derived; it has been reported that the hackers based their demand on a calculation of the cloud provider’s total annual payroll. Accordingly, it seems that attackers in the future are more likely to make demands that take into account the financial means of their victims. It remains to be seen just how high that number can go before an affected organisation decides it’s not worth recovering the encrypted data.


While the increase in ransom demand amounts may finally be tempting non-US organisations to purchase cyber liability insurance, it’s more likely that the consequences of not paying the ransom has them apprehensive. To the extent that: a) the affected organisation refuses to pay the ransom; b) the hacker does not live up to their end of the bargain and fails to provide the decryption key; or c) the decryption process fully or partially fails and causes corruption of the data at issue, the effect could very well be an extended period of business interruption. The inability to earn income due to a network disruption is something to which any modern day organisation can relate. Recent mass scale WannaCry and Not-Petya ransomware attacks have caused business interruptions of varying degrees to companies of all sizes. It is this system outage coverage that has served to convince many insurance buyers — even those with little to no risk of regulation-driven cost exposure — that there is still relevant and valuable protection available within a cyber liability insurance policy. Moreover, the number of organisations around the world with little regulatory exposure is decreasing.


Privacy regulation outside the US


We previously provided a comprehensive look into the EU’s GDPR, which is set to apply from May 25, 2018 following a two-year transition period. What has not received as much attention is China’s 79-article Cyber Security Law (“CSL”), which took effect on June 1, 2017, and is likely to impact companies with a presence in China and those doing business with China. As a basic law, the CSL is an important starting point for personal information protection and regulation of cyber security risks. It is expected that a series of rules and regulations will be released to work alongside the CSL. However, in the meantime, many businesses potentially affected by the CSL have criticized the law as being vague, and overly broad in scope.


The CSL applies to the construction, operation, maintenance and usage of networks, as well as the supervision and management of networks within the mainland territory of China. A heavy focus is placed on ‘network operators’, defined by the CSL as owners and administrators of networks. Because that definition is incredibly broad, organisations that provide services and conduct business activities through networks may unknowingly be considered network operators. In addition to traditional telecom operators and internet firms, the definition of network operators could possibly be construed to include banking institutions, insurance companies, IT security companies, and other enterprises that have websites and provide various network services.


Network operators must adopt measures to safeguard network security and stability, respond to network security incidents, prevent cybercrimes and unlawful activity, and protect online data. In addition, certain network operators providing critical information infrastructure services or support have more stringent requirements, including training employees, formulating emergency response plans, and conducting disaster recovery exercises.


Perhaps the most significant impact of the CSL from an operational and financial standpoint will be on foreign and multinational organizations. The CSL stipulates that critical information collected or generated in China must be stored domestically. The only way to transfer that information outside of China is to allow security assessments to be conducted by Chinese regulators.


For individuals, the protections around personal information are strong. Network operators are barred from disclosing, tampering with, or destroying the personal information they have collected, while individuals and organisations are forbidden from stealing or using other illegal means to obtain personal information.


Companies that violate the CSL risk the suspension of operations, cancellation of business permits, imprisonment, and the assessment of monetary penalties of up to 10 times the amount of unlawful gains (or up to 1 million Renminbi — approximately $150,000 USD).


Despite the concerns about the CSL being vague and/or overly broad in its scope and application, those organisations conducting business in and with China should thoroughly review the CSL in connection with their current policies and procedures governing network security and data privacy.


Going global


These developments in China illustrate that what has largely been a US market for cyber insurance so far may not remain that way for long. The ever-present risk of business interruption resulting from cyber attacks, such as ransomware, the global increase in data security and privacy regulation, and the potential fines and penalties exposure associated with non-compliance, are steadily fueling international demand for cyber liability insurance. When implemented as a risk protection solution along with assessment and recovery planning tools, cyber insurance provides organisations with a holistically sound approach to cyber risk management.



Dan Twersky is a claims advocate within the claims and legal group for the financial lines practice of the corporate cisk and broking segment of Willis Towers Watson


For any further enquiries please email

Most popular

  1. Blockchain transaction value to rocket over coming years

    The value of global blockchain transactions is set to reach an unprecedented $3.4trn by 2023 as financial institutions increasingly look to the technology to improve their bottom lines.

    Wednesday 17

    17 April 2019

  2. Insurers told to prepare for new wave of digital disruption

    Insurance companies will have to offer personalised policies delivered in real-time if they are to thrive in a ‘post digital’ era, consultancy firm Accenture has warned.


    Friday 12

    12 April 2019

  3. Global businesses failing to scale automation technologies

    Investment in intelligent automation (IA) technology has failed to deliver fast enough returns, with many projects still stuck in “pilot mode”.


    Tuesday 2

    02 April 2019

White paper

  • Quarterly InsurTech Briefing Q1 2017

    Why InsurTech? A Pressured Insurance Value Chain

    By Andrew Sagon, Andrew Johnston and Matthew Wong

    InsurTech is a burgeoning phenomenon that is modernising the insurance industry. It is disrupting the traditional value chain whereby insurers offer loss protection, and shifting the emphasis to risk mitigation. Incumbents face disintermediation as investors in search of higher yields pour money into insurance-linked instruments in the capital markets. And entrepreneurial businesses are targeting friction costs and inefficiencies within every aspect of the traditional value chain.



  • Insurance big data – float like a butterfly, sting like a bee

    Nimbleness and agility will unlock potential

    By Elinor Friedman, Andrew Harley and Klayton Southwood

    Recent Willis Towers Watson surveys in the U.S. have shown that P&C and life insurers in developed markets are taking seriously the potential of big data and predictive analytics to improve their businesses. Nimbleness and agility, rather than brute force, are likely to be key to realizing that potential.

    Download PDF

  • The new era of insurance analytics

    Driven by technology, toolkits and talent

    By Claudine Modlin and Graham Wright

    Advanced analytics is helping some insurers offer innovative products and solutions. What do insurers need to know about the changing nature of analytics and whether it is worth the investment? Claudine Modlin and Graham Wright discuss technology, toolkits and talent — topics that may help you decide.

    Download PDF

  • How can we manage the dynamic nature of cyber-risk?

    Risk transfer is part of a comprehensive solution

    By Adeola Adele, Patrick Kulesa, Kevin Madigan and Alice Underwood

    Given the dynamic nature of cyber-risk, taking a multidimensional approach that integrates board governance, technology solutions, behavioral change and risk transfer solutions can help reduce risk to a manageable level.

    Whitepaper Form