This essay is excerpted from Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks. Copyright © 2022 by Josephine Wolff Used with permission of the publisher, MIT Press.
Only 20 people showed up for the Breach on the Beach party at the International Risk Insurance Management Society’s annual convention in Honolulu in April 1997. It was a small gathering, but it marked a huge achievement for Steve Haase, who was then an insurance broker and senior vice president at Hamilton Dorsey Alston Co. For more than two years, Haase had been trying to persuade colleagues in the insurance industry to back a new product that would protect companies whose data had been stolen from their computer servers, but no one had been willing to bite—until now.
The Breach on the Beach luau marked the official launch of Haase’s brainchild, called Internet Security Liability (ISL), an insurance policy tailored to the risks of e-commerce underwritten by insurance firm American International Group. “[AIG] was willing to take the risk to get the market share,” Haase told Inc. magazine in an article published later that year. Insurance is an industry that trades in risk and depends on being able to estimate and assess different types of risk—but the risk that Haase was referring to was that there might not be any way to effectively measure the types of online risks he was aiming to insure companies against. The challenge, as Haase described it then was that “there aren’t really any actuarial studies of Internet commerce. … Banks and other merchants aren’t too forthcoming with that sort of information.”
At the time, Haase had been selling insurance policies to technology companies for a decade, and he was fascinated by how the internet was becoming a platform for business. Online commerce was still very much in its infancy in 1997, but it was already showing signs of rapid growth. In 1995, Microsoft started bundling a web browser, Internet Explorer, with its popular Windows operating system, giving millions of computer users worldwide an easy way to access the Internet. From 1996 to 1997, the number of internet users worldwide grew from 40 million to 100 million people, and the number of registered domain names grew from 627,000 to 1.5 million. Amazon, which started in 1996, sold $148 million worth of books in 1997, up from $16 million the previous year.
The ISL coverage that Haase had persuaded AIG to back was aimed at protecting retailers like Amazon that were collecting customer credit card numbers and storing them on servers. In 1997, the standard ISL plan would provide coverage up to $250,000 in legal costs and settlement fees if customer credit card numbers were stolen off those companies’ servers and a credit card company subsequently sued the firm for failing to protect them. The premium for the plan was priced starting at $2,500 annually, but websites that had their security audited and certified by the National Computer Security Association qualified for a 25 percent discount, bringing the cost down to $1,875 per year.
Two and a half decades later, all of those numbers seem absurd—the notion that only 20 people would be interested in selling cyberinsurance, that firms would be paying only $2,500 per year for it, the prospect that a security audit would reliably net those firms a 25 percent discount, the suggestion that $250,000 would seem like sufficient coverage to shield companies from the costs of online threats. In 2017, 20 years after AIG launched the first policy, cyberinsurance represented the fastest-growing sector of the insurance industry, and there were 471 firms selling cyberinsurance policies that brought in more than $3 billion in premiums.
And yet, in many ways, the cyberinsurance industry still faces many of the same problems that Haase highlighted back in 1997: the lack of good data about how often past security incidents have actually occurred and how much they cost, and continued widespread unwillingness on the part of banks and merchants to collect or share that data. By 2017, AIG was no longer alone in offering coverage for computer-related risks, but all of the carriers who had gotten into the business were still taking a gamble to get a piece of the growing market share both in the United States and abroad.
They tempered that risk by setting high premiums, carving out careful exceptions to their policies, and fighting to uphold those exceptions in court, narrowing the scope of what their policies actually covered as online threats evolved and policyholders filed claims for new forms of computer-related losses. But even as they tried to carve out exceptions for many computer-related risks, insurers were still using the looming specter of rampant cybersecurity threats and new data security regulations to sell new policies to their customers.
The growth of the cyberinsurance market has been shaped in large part by regulations and regulators, but cyberinsurance itself remains largely unregulated. The passage of state data breach notification laws in the United States and the General Data Protection Regulation in Europe helped drive demand for cyberinsurance and influenced what types of losses those policies covered, as did the decision by the U.S. Securities and Exchange Commission that companies should disclose cyber risks to their shareholders as part of their financial filings. But unlike other forms of insurance, there are no requirements governing what cyberinsurance policies must cover, who must obtain them, or to whom they must be made available.
Unlike auto insurance, cyberinsurance is not required by law, unlike flood or terrorism insurance it is not underwritten by the government, and unlike health insurance the actual content of policies and what costs they must cover is not regulated by any legislation at either the state or federal level. That lack of oversight is understandable given the small size of the market for cyberinsurance and the fact that it originally covered a fairly narrow set of relatively niche threats, like retailer data breaches of the sort envisioned by Haase when he designed the original ISL policy. Historically, however, as new insurance products have grown in popularity or encountered challenges of the sort presently facing cyberinsurers, regulators have often stepped in to stabilize the market, protect consumers, and provide much-needed data or financial support. As the cyberinsurance market continues to grow, therefore, it is worth considering the roles that regulators can play in emerging insurance markets as well as the impact public policy has already had on shaping early forms of cyberinsurance.
When Haase launched the first cyberinsurance policy in 1997, it brought in $2 million in premiums in its first two years, but many customers were initially hesitant, especially with the looming specter of Y2K haunting their IT systems and budgets. “That really delayed the market for three years,” Haase said. Then, in 2000, after the Y2K threat had finally receded, the dotcom bubble burst and Haase lost one-third of his clients “overnight,” just as his business was starting to gain traction. By then, Haase had left Hamilton Dorsey and launched his own company in Atlanta, called InsureTrust, to focus on advising clients about cyberinsurance policies and, in some cases, underwriting them. It wasn’t until 11 years after its launch that the business finally became profitable, Haase said, referring to it as his “$3 million hobby.”
In those first years of cyberinsurance, there were too few customers for insurers to rely on the bulk of their premium sales to cover claims. Without high-quality data on the frequency or average costs of cybersecurity incidents and outages, insurance firms were forced to rely heavily on vetting their small number of customers to be sure they were adequately protected against online threats. This involvement in auditing and monitoring insurance customers’ security systems would, by necessity, dissipate in the later years of cyberinsurance sales, as the volume of customers grew and so too did the number of firms selling policies—many of which did not have the necessary expertise to vet potential customers’ networks and data security setups.
In 2000, many companies—and most insurers—also did not have access to people with computer security expertise. Insurance carriers began partnering with technology firms to reduce their customers’ loss probability—a trend that would continue in later years as more companies purchased cyberinsurance and a growing number of technology firms came to view insurers as a potential avenue for finding customers. In July 2000, Lloyd’s of London announced one of the first such partnerships, a program launched in conjunction with San José security firm Counterpane Internet Security that would offer up to $100 million in cyberinsurance coverage to protect companies who used Counterpane’s security services against “loss of revenue and information assets caused by Internet and e-commerce security breaches.”
The Lloyd’s policy covered a much broader set of costs than the initial breach insurance model that had been developed by Haase for AIG. Through Lloyd’s, customers of Counterpane could purchase insurance that would cover the costs of repairing and replacing software, lost revenue that resulted from a malicious service interruption like a denial-of-service attack, and online extortion costs. In 2000, the cost to a Counterpane customer of such a policy covering up to $1 million in losses ranged from $12,000 to $20,000 in annual premiums, depending on the size of the company, or $75,000 for a $10 million policy.
Prices for cyberinsurance policies in 2000 were all over the map, with annual premiums for $25 million in coverage ranging from $25,000 to $125,000, according to one analysis by the Gartner Group. “You don’t see a 500 percent range in traditional premiums,” Gartner Group vice president Richard Hunter said about the firm’s findings. “That tells me insurance companies don’t know how to assess the risk.”
Part of adjusting rates in those first few years involved offering discounts to insurance customers who availed themselves of particular, trusted security services. Just as Haase’s original plan with AIG had offered customers a 25 percent discount on their annual premiums if they had their systems certified by the National Computer Security Association, Lloyd’s of London also experimented with offering modest discounts to customers who implemented certain security software. In October 2000, Lloyd’s announced that cyberinsurance customers that purchased security software manufactured by Portland firm Tripwire would receive a 10 percent premium reduction.
The partnership came about after Tripwire reached out to Lloyd’s, and Tripwire’s president and CEO Wyatt Starnes was, unsurprisingly, pleased that Lloyd’s would promote his product to their customers, telling reporters at the time, “This will be great for us.” Starnes even launched a subsidiary in 2000, Tripwire Insurance Services, which was intended specifically to market security products to insurers for their customers. But Starnes’s projections for the cyberinsurance industry were way off base. He said in 2000 that he expected cyberinsurance premiums to be “in the $1 billion range” by 2003, when, in fact, premium sales would not reach that mark until 2013. Indeed, he was one of many people who overestimated how quickly the market for cyberinsurance would grow and how long it would take for these sorts of policies to become mainstream.
A modest, but noticeable, increase in interest after the terrorist attacks of Sept. 11, 2001, spurred even loftier projections than Starnes’s, with the Insurance Information Institute estimating that premium sales would hit $2.5 billion by 2005. Instead, interest in cyberinsurance would grow incrementally, with companies gradually coming around to the idea that it might be useful until sales really began picking up around 2012. Even now, the uptake of cyberinsurance continues to be gradual, not explosive, with both carriers and policyholders wary of rushing too fast into purchasing a product surrounded by so much uncertainty.
Slate receives a commission when you purchase items using the links on this page. Thank you for your support.
In late 2001, a small consulting firm called Senetry based out of Denver decided to look into why sales of cyberinsurance had fallen so far short of projections. Senetry identified several reasons that sales had been slow to gain momentum, even after the small spikes in interest around Y2K and Sept. 11, including that the prices for cyberinsurance policies were often “either unclear or unreasonable.” In Senetry’s survey of business owners, more than 60 percent of respondents said cyberinsurance was too expensive for them to purchase. For respondents who owned businesses with annual revenue under $250 million, that number went up to 80 percent. Senetry concluded that small companies “are not focused on cyber threats at all—they are too focused on business survival.”
There were other problems, too, besides cost. There was no standard cyberinsurance policy; each carrier covered different types of costs and incidents and attached different terms to the coverage, making it difficult for customers and brokers to understand and compare the available options. But the biggest problem—the problem from which all these other obstacles arose—was a lack of education and understanding when it came to cyber risks, Senetry concluded. Insurance brokers didn’t understand cyber risks, customers didn’t see why they would be targeted by hackers, executives hadn’t studied online threats in school, and the threats simply didn’t loom large for most of them. One employee at a transportation company in the Midwest told Senetry that cyber threats weren’t a concern for the company because they were in the transportation industry, rather than the tech sector. Senetry noted of the company: “they have a Web site, and every desk has a PC with e-mail and Internet browsing capabilities.”