Preface: Gartner doesn’t cover cyber insurance, and I’m not really supposed to talk about it, because we don’t give financial or legal advice. This article offers no opinion on cyber insuranceit’s about what we can learn about cyber risk based on how cyber insurers view their own financial risk.
Take the following (almost) real numbers I’ve seen recently on a cyber risk policy:
Calculating that the client was asked to pay a million dollars, there was essentially only five and a half million in profit. (The 50% coinsurance actually reduces the limit from 15 million to 7.5 million in profit, less deductible and premium). This makes the price of risk in my simple calculations (premium over profit) to about 15.5% profit.
Now compare that to car insurance (again with actual (rather) numbers from a major US insurer). For this I subtracted everything except collision and comprehensive insurance on the asset itself. These numbers look like
Pricing this risk at $900 against $74,000 of benefit comes down to: 1.2% profit – given the unpredictability of automatic loss, this is a telling difference.
What about liability and anything else I got from the auto policy?If I add these, it makes the differences much bigger. The benefit amounts to $375,000, against a premium of $1,400, which reduces the price of this risk to less than half a percentage point.
Which means that this particular cyber-insurer rated its cyber risk at more than 10 times that of the risk of automobile loss. Adding responsibility, this factor is greater than 20x!
How about something really exotic, I ride Italian motorcycles. It must be very expensive from an insurance point of view, right? (Again, removing liability) $45,000 profit vs. $600 premium, my insurer assesses their risk of losing my motorcycle on a circuit at only: 1.3%
Are you TEN TIMES more likely to suffer a loss from cyber than to have a car accident? Even if you don’t know how insurance companies rate their risk, just understanding the differences in premiums and benefits between products can tell us a lot about the real risks.
Since driving a car is the most dangerous ordinary activity many of us will ever do, it’s hard to believe that cyber risk is this much bigger! What you conclude is that it looks like these companies factored a huge amount of unpredictability into their risk – our advice probably should too.