Cyber security has become a frequent headline topic, increasing the awareness of risks to business from a wide variety of serious cyber related threats, ranging from the theft of intellectual property, customer data and (lately) the destruction of physical property through the exploitation of a cyber vulnerability. Despite increasing adoption of cyber insurance products and frequent cyber-related initiatives across the insurance and risk world, the majority of cyber risk transfer developments to date relate to privacy or data breach risk, and specifically, breaches of personally identifiable information (PII). Such developments have been incredibly positive and numerous firms have been aided tremendously by their insurance policies when breaches have occurred. Furthermore, credit can be paid to the insurance industry’s proactive approach in designing packaged breach mitigation solutions that have helped contain costs. Several studies now put the average cost of a privacy breach in the $4M to $6M range, and that is a manageable exposure for many firms. At the extreme, the losses to Target (yet to be confirmed) are estimated to reach nearly $1B (not including bank losses).

Privacy, however, is only a fraction of cyber risk, and many companies that are not consumer-facing or do not play in the PII chain are struggling with the insurability of their increased exposure. The broadening of the risk spectrum to include physical makes cyber risk a game changing phenomenon that can impact numerous lines of insurance coverage, as well as escalate costs and losses far beyond those of a typical privacy breach.

Simply put, the insurance industry needs to embrace this evolving reality, approach cyber risk in a comprehensive and consistent manner, and provide end-to-end solutions that provide confidence to policyholders that the majority of cyber risk is covered. In doing so, the insurance industry can also serve as a major catalyst and facilitator for public and private enterprise to significantly improve cyber security footing.