Cyber risk insurance is also becoming normal for big businesses that can reasonably expect to face a cyberattack at some point, but it may be harder to justify for smaller businesses and municipalities that may choose to self-insure rather than add a significant insurance premium.
Cyber insurance policies are often exceedingly complex contracts that can easily run to hundreds of pages, and payouts can hinge on precise definitions of terms like “computer system” or “cyber incident” or on specific cybersecurity precautions that were or were not implemented.41 For these reasons, only 28.4% of claims in 2017 resulted in payment, with an average payout of $188,525, far less than the average $590,000 cost we found for cyberattacks.
In NotPetya, those affected by the hack attempted to collect on policies and were told by their insurers that the attacks would not be covered because of “war exclusion” clauses.
These disputes are working their way through U.S. courts and highlight the immaturity of the cyber insurance market, which lacks sufficient data for reliable actuarial models, constantly evolving risks, and contested coverage when compared to more traditional hazards like fires or floods. Still, the market continues to grow, and one estimate puts its overall value at $5.5 billion in 2020.44 This includes stand-alone cyber policies, as well as protections packaged into standard property and liability policies.