The twin terrors of regulatory scrutiny and high-profile data breaches mean the cyber insurance market is set for rapid growth in the next few years, but the space is often misunderstood, even by those who need it most.

“The average person is going to look at cyber insurance as covering all kinds of risk related to the Internet and the cyber sphere, but cyber insurance is really, at its core, a data breach insurance product,” said Gwenn Bézard, research director at the Boston-based Aite Group and leader of the organization’s insurance practice.

Bézard, who recently penned a paper for Aite Group outlining the cyber insurance landscape, said the product has been around for about 20 years, ever since technology vendors began strengthening their errors and omissions policies, but it picked up steam in 2002 when California enacted a data breach notification law.

Today, it’s a billion-dollar market, although it still makes up a very small percentage of commercial insurance premiums across the globe. PwC estimates that global premiums, which topped $2.5 billion in 2014, will reach $7.5 billion by the year 2020, a figure Bézard cites in his paper.

Meanwhile, the National Association of Insurance Commissioners (NAIC) said that an analysis of more than 500 insurers reported direct written premiums of almost $484 million in standalone policies and $1 billion in cybersecurity package policies last year.

But while the market is growing rapidly, there still remains confusion around what cyber insurance does and does not cover, and where traditional insurance policies might fill in the holes. For example, if a cyberattack starts a fire in an organization’s property, that company’s cyber insurance might not cover those damages, but their property insurance might.

Or in another instance, many cyber insurance products cover ransomware attacks, but not spear-phishing attacks, Bézard said. In a spear-phishing attack, a hacker might gain access to the CEO’s email and instruct another employee to wire money to a destination of the hacker’s choosing. The phish works because the message appears to be legitimate, and though the attack originated online, cyber insurance policies may not cover that loss because it ultimately comes down to human error.

Bill Goddard, a partner who specializes in insurance at the law firm Day-Pitney, said another issue is that the industry doesn’t yet have the standardized forms common to other segments of the insurance market. While the NAIC reports that more than 500 insurers offer cyber insurance policies, those might not all be standalone policies. Most of the major carriers offer cyber policies by now, but many of the smaller carriers might just offer endorsements to existing policies, he said.

Goddard also noted that the NAIC is fast-tracking a new insurance data security model law intended to standardize insurers’ practices in this area, though he clarified that the model law would not standardize their forms.

“The act right now says that everybody has got to get indemnification from their vendors, so all of a sudden, everybody is going to be taking on everybody else’s cyber risk,” he said.

Moreover, increased regulatory scrutiny means cyber insurance will play an important role in a bank’s overall cybersecurity policies and procedures.

“The combination of the solvency of financial institution and the protection of the consumer is just so compelling right now that if I’m a regulated entity, I want to address both and my regulators are going to want to talk to me about addressing both,” he said.

Beyond The Headlines  

Cyber insurance is especially important for the financial services sector, but banks sometimes don’t fully understand what their existing policies cover in terms of cyber incidents.

“I’ve run into some banks who don’t have proper cyber coverage and they don’t really even know that they don’t have it,” said Theresa Reardon, executive director of the Massachusetts and New England Financial Services Insurance Agency. Reardon works in partnership with the Massachusetts Bankers Association to educate New England banks about the need for cyber insurance. She said she’s worked with some bankers who may (wrongly) think their other insurance policies will cover them in the event of a cyber incident.

“I’ve had some banks feel like they’ve got adequate coverage in their bond policies. Well, not really. Not as much as you would think,” she said.

Still others may think that because their institution is small, they don’t need it.

“You only hear about the really bad stuff in the news,” Reardon said. “You don’t really hear about the small stuff, but it happens. We have banks who have small, little things happening daily, in some cases.”

Cyber insurance can run the gamut, depending on the size and risk profile of the institution, Goddard said. He noted that some very large institutions will insure the first “lower layers” – say up to the first $10 million – via a captive insurer and a third-party insurer for damages above that.

It doesn’t need to be that onerous for a smaller institution. But for those banks or credit unions, a good broker can be your best friend in this area. A knowledgeable broker can help a financial institution understand what policies will cover what scenarios and might even help fill in the holes in an existing policies during the underwriting process, Goddard said.

“Understanding this risk is hard for the really seasoned insurer who’s active in this market,” he said. “If you partner with a really careful insurer and a good broker, you can get a good program where cyber fits hand-in-glove with your other coverage.”