Will cyber insurance become mandatory?

Cyber insurance is set to become as essential as workers’ compensation insurance in the near future, a cyber insurance provider CEO has predicted.

Vishal Kundi, CEO and co-founder of Toronto-based cybersecurity and insurance specialist MGA BOXX Insurance, told Canadian Underwriter that he foresees cyber insurance becoming mandatory as it increasingly becomes “vital to most countries’ economic health.”

An Insurance Bureau of Canada-commissioned survey released Tuesday found that in 2021, 41% of small businesses polled that had suffered a cyberattack reported it cost them at least $100,000, up from 37% in 2019. Yet only a quarter (24%) of the 300 polled said they plan to purchase cyber insurance within the next year.

Kundi said insured cyber losses worldwide will continue to grow, citing Cybersecurity Ventures’ recent estimates that global cybercrime will reach US$10.5 trillion annually by 2025.

“If this is true, this would represent the greatest transfer of economic wealth in history and arguably larger than the global trade of all major illegal drugs combined,” Kundi said.

Kundi released a whitepaper on the topic this week, in which he outlines several reasons cyber insurance could follow the same path as workers’ comp insurance — a required purchase for almost all businesses in North America.

“In the era of digitization and COVID-19 pandemic-induced remote working, cyber risk is fast becoming an everyday risk that touches nearly every business in the same way as workers’ comp exposure does,” Kundi said. “Nearly all businesses in North America depend on a constant connection to the internet. Being digitally connected has led to a new era of digital crime, cost and privacy exposure that’s wreaking havoc on businesses and society and allowing the aggressors to collect great fortunes.”

Four reasons cyber might be mandatory…

Kundi said there are four main reasons why cyber insurance might become as commonplace as workers’ comp for businesses of all sizes:

1. Cyber insurance is core to building a digitally resilient, healthy business sector.

“In most countries, 90% of the private sector employees work in small to medium-sized (SME) companies, and considering that over 60% of SMEs fail after being a victim of cybercrime, without cyber insurance, governments would be left picking up the bill for businesses that become digital roadkill,” Kundi said.

2. More governments will see cyber insurance as shield during the “privacy revolution.”

“In much the same way as the industrial revolution highlighted hazardous work conditions that led to governments introducing health and safety standards enforced by regulation, with workers’ comp as a final back-stop, I’d argue that today’s pace of digitization highlights equally toxic exposure: data privacy,” Kundi said. “It’s not a leap to see cyber insurance, or at least data privacy liability, following the same path as workers’ comp.”

3. Ransomware attacks will fade.

“It’s foreseeable to see coverage for ransomware scale back as governments say enough is enough,” Kundi said. “More manageable cyber extortion threat exposure will lead to a less volatile cyber insurance market.”

4. Cyber insurance eligibility requirements will lead to improved business performance

“Progressive versions of workers’ comp have led to improved employee health and safety measures and proactive prevention efforts to reduce the risk of workplace injuries,” Kundi said. “Similarly, as we better understand cyber risk, better data will show the connection between risk mitigation and cyber losses, pressuring companies to invest in security and protection.” Insurers will also become better at helping companies understand cyber risk-management effects on potential revenue, profit, brand and overall success, he added.

…and two reasons it may not

There are two main reasons why cyber insurance might not reach the same penetration levels as workers’ comp, Kundi said. First, insurers could withdraw capacity, significantly cutting back cyber insurance.

Second, demand for cyber insurance may tail off. But Kundi said that even a “worst-case” global digital cat event “wouldn’t be enough to cripple the entire cyber insurance and reinsurance industry.” As for decreasing demand, Kundi said such a scenario “assumes companies find an affordable way to minimize exposures, absorb the risk of them being found fallible and that policymakers stand on the sidelines and don’t look to protect business by making cyber insurance a condition to operate, in the same way that workers’ comp has become.”

Feature image by iStock.com/WhataWin