How common is cybersecurity insurance in the US compared to globally? How much does it cost? How much does it actually help companies in the event of a breach?
These are some of the questions we set out to answer when we took a deep dive into the state of the cybersecurity insurance market in 2022.
In this article, we’ve compiled more than 23 cybersecurity insurance statistics from multiple data sources, to provide answers to these questions, to help companies make better insurance and security decisions.
Cybersecurity Insurance Statistics (Editor’s Picks)
- The global market for cybersecurity insurance was USD $7.60 billion in 2021 and is expected to grow to USD 20.43 billion by 2027.
- The US market for cybersecurity insurance was worth $2.38 billion in 2020.
- How often did cyber insurance pay out? 27% of data breach claims and 24% of first-party claims had some exclusion written into the policy that prevented part-payout or full-payout.
- How many companies have cyber insurance? In a 2022 survey, only 19% of organizations claimed to have coverage for cyber events beyond $600,000.
- Only 55% of organizations claimed to have any cybersecurity insurance at all.
- How common are cybersecurity insurance claims? In the past 3 years, cyber insurance claims have increased by an order of 100% and payouts a total of 200%, with the peak claims being 8,100 in 2021.
- What size companies made the most cybersecurity insurance claims? 99% of all cybersecurity insurance claims came from SME companies (annual revenue under $2 billion).
- The average cybersecurity insurance claim cost for a small to medium enterprise is $345,000.
- The average cybersecurity insurance claim cost for an SME for a ransomware event is $485,000. The average claim for all organizations is $812,360.
How Big is the Cybersecurity Insurance Market Globally?
The global market size for cyber insurance was USD 7.06 billion in 2020 and is expected to grow to USD 20.43 billion by 2027. In 2021 (Fortune Business Insights), the cyber insurance market was USD 7.49 billion globally. Both studies predict that the market will grow at a CAGR of 24% over that same time.
Source: Research and Markets report. Fortune Business Insights.
How Big is the Cybersecurity Insurance Market in the US?
The US market continues to be the largest contributor to the cyber insurance market, with a total market cap in 2020 of USD 2.38 billion. Further, it is predicted that the US will continue to be the largest driver in the growth and adoption of cyber insurance over the next 6 years.
Source: Fortune Business Insights
Is the Cyber Insurance Market Growing?
The short answer is yes, the market is growing, but like many markets over the last few years, COVID-19 has introduced unforeseen factors that have altered the growth pattern and adoption. Analysis shows that cybercrime and claims are increasing across the globe, which further drives the adoption and desire to have coverage for cyber-related incidents.
The main factor contributing to the adoption and growth of the cybersecurity insurance market is that the overall cost of claims is going up.
Sources: IBM reference in the Research and Markets report. Fortune Business Insights.
CISOs Comment on the State of Cyber Insurance
While these numbers seem to be supported across multiple studies, there is room to theorize that the overall growth in the industry may be stronger in that period. From personal experience and from conversations with peer CISOs across industries, overall rates and ability to gain cyber insurance are becoming more difficult. To me, this indicates a demand that is stronger than the risk appetite of the insurers and shows that organizations are utilizing cyber insurance as a mechanism to help make the organization whole, in the event of a breach.
I have heard from several CISOs and executives that have claimed to be turned away by cyber insurance carriers. In some cases, this may be due to the type of business or vertical the organization operates within. This is very similar to trying to get homeowners’ insurance in a hurricane-susceptible region or a low natural disaster region with a fire station close by. The risk of loss to the insurer is lower. This further indicates to me that the market is extremely strong and has high demand, as it was not that long ago that almost any organization could get coverage if they chose; no matter how good their security program was.
How Common is Cyber Insurance?
It can be difficult to know just how many organizations have coverage and what level of coverage they have, as this data is self-reported. In a 2022 survey of 450 organizations, only 19% claimed to have coverage for cyber events beyond $600,000 with a total of 55% having some cyber insurance coverage.
Another way to look at total adoption is based on the total written coverages. The total number of written premiums in 2020 was USD 2.7 billion with a total of 4 million policies in force. Additionally, we see continued adoption of cybersecurity insurance year after year from 2016 (doubling in that time), with the largest increase being from 2019 to 2020.
Sources: The Register, NAIC, Sophos.
How Common Are Cyber Insurance Claims?
A good way to review the total number of claims is to review the loss ratios. Insurers expect to have to pay out a certain number of the full claims each year, and they attempt to spread that cost across the premiums, in hopes of not having to pay out all of the premiums.
In 2020, the top 20 cybersecurity insurers’ loss ratio ranged from 24.6% up to 114%.
In the past 3 years, cyber insurance claims have increased by an order of 100% and payouts a total of 200%, with the claim payouts peaking at 8,100 in 2021.
Further, a detailed 2021 report analyzing 5,797 claims from 2016-2020 found that 99% of all claims came from SME companies (annual revenue under $2 billion).
Sources: NAIC, FitchRatings, NetDiligent
What is The Average Cyber Insurance Claim? ($)
Breaking down the insurance claims, the average claim cost for a small to medium enterprise is:
- $111,000 for crisis services
- $98,000 for legal
- $145,000 for the incident itself
- $345k average total claim
However, when it comes to ransomware, the total average claim cost rise to $485k.
What is the Most Common Reason for a Cyber Insurance Claim?
Ransomware continues to be the most common cyber insurance claim followed by phishing attempts.
However, it can be argued that phishing is the primary culprit of compromise, as this is how most ransomware is entering the business.
According to a 2022 report, one in six cybersecurity insurance claims were related to ransomware, with the FBI seeing an increase of 69% of reported complaints or crimes in 2020.
Also, a total of 37 billion personal records were compromised in 2020, which shows that the impact and the total number of breaches are not slowing down.
All of this can be evidenced by additional legislation and regulatory requirements that are being passed and required for organizations.
Sources: NetDiligent, Security.org.
What Percentage of Security Breaches Are Covered by Cyber Insurance?
According to one report that analyzed more than 1,150 claims, 36% of the cost of the incident cybersecurity events the insurer paid under the policy limit, and in 2% the insured limit was under the total amount required for the incident, resulting in an underpayment by the broker.
In all, 27% of data breach claims and 24% of first-party claims had some exclusion written into the policy that prevented payout or full payout.
Source: Willis Towers Watson.
Who Are The Largest Cybersecurity Insurers?
The top 8 cybersecurity insurers are Chubb, AXA XL, AIG, Travelers, AXIS, Beazley, CAN, and BCS. What is more astounding is that AXA XL, Chubb, AIG, and Travelers make up 40% of the market for policies across all industries.
With so few having such a large percentage of the market, they really can dictate the rates and increase, along with requirements for insurance. However, they are also taking on a larger percentage of risk and loss at the same time.
Source: eSecurity Planet, NAIC
What’s The Most Popular Type of Cyber Insurance?
There are multiple types of cyber security insurance an organization can have. Beazley lays out the most common types of policies that are available. Ranging in coverage and use cases, you have policies for breach that covers response, investigations, and monitoring services.
There is the first party, which includes business interruption, extortion, and recovery costs. Also, there is third-party coverage that helps with regulatory fines, privacy, and media. An additional policy can be added to the writer that covers fraud, which could be an accident transfer of funds or other fraudulent activities.
While it would be great to have hard numbers on which policies are most popular, this data is difficult to obtain. In the absence of this data, we are left to infer based on other cyber insurance data what the most common cyber insurance policies might be.
Based on the report by NetDiligent and according to the cost of the breaches, it would appear the two most common policies carried out are breach response and first-party insurance.
Speaking from experience and from what I hear from peer CISOs, fraud insurance can be hard for any business that deals with payments (either business or consumer) regularly, so this policy tends to be utilized less.
Further, it is common for cyber insurance policies to be written with a primary and secondary provider, usually split evenly to help offset the risk exposure.
Source: Beazley, NetDiligent.
Most Common Reason Companies Invest in Cyber Insurance?
The two most common reasons for a company to invest in cyber insurance are:
- A cyberattack occurred against another company in the same industry.
- It was recommended after an independent cybersecurity risk assessment.
Other reasons a company will have cyber insurance are for the recovery of lost data or lost devices, to meet notification requirements, and for forensics after an incident.
Recovering from an incident can be costly, especially when systems need to be restored or rebuilt because they have been compromised and are not able to operate safely.
Additional notification requirements and fines have increased the cost of a breach, including the fines that can be levied against an organization. Often, each compromised or deleted record is charged several hundred dollars.
For an organization to be able to withstand the financial hit, the organization will need insurance to assist with the costs of dealing with a breach and the fines that will result from it.