Why don’t more businesses have cyber insurance?

By Shawn Dougherty December 2, 2014

Shawn DoughertyIt seems every few days there’s a new report of a data breach affecting a business or healthcare service provider we know. In a number of those cases, cyber insurance has helped the business recover from the incident — paying for investigating the breach, notifying affected customers, and making credit monitoring available to them. So why hasn’t the cyber insurance take-up rate been greater and become a staple of the insurance industry?

First, there’s the question of demand. According to a recent survey conducted by Hanover Research and sponsored by ISO, most companies today don’t see their lack of cyber coverage as a problem. The survey of insurance professionals found that among carriers offering cyber insurance, 40 percent say businesses don’t think they need cyber coverage and 29 percent say businesses believe they’re already covered under existing policies. Only 12 percent of insurers say the biggest challenge is that premiums are too high. You can download the survey results here.

There’s also the question of supply. Only 46 percent of the insurers that responded to the survey currently offer cyber insurance. At a conference this fall, Ari Schwartz, the White House director of cybersecurity, indicated that insurers low take-up rate pertains to the absence of the actuarial data they need. That should change over time as data on cyber losses becomes more robust and insurers are able to make more informed decisions about cyber coverage. In fact, this year we formed a strategic collaboration with IDT911™ designed to help us better understand the cost of data breaches and provide a more complete picture of cyber risk.

There’s no question that we need to continue to educate business leaders about the exposures and costs they potentially face should they suffer a cyber attack. We also need to provide coverage options that meet the needs of policyholders. According to the recent survey commissioned by ISO, 92 percent of insurers providing cyber insurance offer optional cyber endorsements to existing insurance policies.

This year, we introduced optional cyber insurance endorsements for use with our Businessowners Program. Those endorsements will be available for insurer use in March 2015. We’re also working on cyber coverage for medical professional liability risks, which we hope to file with state insurance regulators next year. For what other insurance programs should we consider developing endorsements? What other products and services could help you offer cyber insurance coverage? Please contact me at sdougherty@iso.com or 201-469-2816 to let me know.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.