The market for cyber insurance, a product that did not even exist before the mid-1990s, is booming. According to the Insurance Information Institute, the U.S. cyber insurance market generated about $2 billion in premiums in 2014. Some experts estimate that premiums will increase to $7.5 billion by 2020. High-profile hacks on confidential customer data and prominent companies—like Sony, Target, Apple, multiple large banks, as well as the Department of Defense and U.S. Office of Personnel Management—have raised concerns about the integrity of the personal data entrusted to firms and government agencies. These cyber incidents also raise alarms among policymakers and regulators, who understand that the attacks threaten economic activity, financial markets, and U.S. national security.
In 2014, there were 783 reported data breaches in the United States, and those breaches exposed 85.6 million records.
In response to these attacks, companies are upgrading their systems and purchasing cyber insurance protection. Government interest is also driving the growth of the market. Nearly all states, for example, now require companies to notify customers of cyber breaches. Cyber insurance is also growing globally, as the European Union is expected to implement cybersecurity rules in the near future. Another dynamic increasing the demand for cyber insurance is the growing realization among directors and officers of companies that they could be held personally liable for cyber attacks.
In this issue brief, the Bipartisan Policy Center’s Insurance Task Force starts with the premise that a well-functioning market for cyber insurance, one that offers a robust range of products that meet the needs of consumers in a competitive environment, would benefit consumers, businesses, and national security. Reaching that goal will require overcoming some difficult obstacles. This paper provides a guide to policymakers on how best to address these obstacles and facilitate a well-functioning cyber insurance market in the United States.