Preface: Gartner Doesn’t Cover Cyber-insurance, and I’m not really supposed to talk about it, because we don’t give financial or legal advice. This post offers no opinion about cyber insurance, it’s about what we can learn about cyber risk based on how cyber-insurers view their own financial risk.
Take the following real(ish) numbers I saw recently on a cyber risk policy:
- Premium: $1,000,000
- Limits: $15,000,000
- Coinsurance: 50%
- Deductible: $1,000,000
Calculating that the client was being asked to pay a million bucks for was essentially just five and a half million in benefit. (50% coinsurance actually reduces the 15m limit to 7.5m benefit, minus the deductible & premium). That makes the price of the risk in my simple math (premium over benefit) at about 15.5% of benefit.
Now compare that to auto insurance (again with real(ish) numbers from a major US insurer). For this, I subtracted out everything except collision and comprehensive insurance on the asset itself. Those numbers look like
- Premium: $900
- Limits: $75000
- Coinsurance: 0%
- Deductible: $1000
Pricing this risk $900 against $74000 in benefit works out to be: 1.2% of benefit – given the unpredictability of auto-loss that’s an eye-opening difference.
What about the liability and all that I removed from the auto policy?If I add those back in, it makes the differences a lot more stark benefit rises to $375000, against a premium of $1400, reducing the price of that risk to less than half a percentage point.
Meaning this particular cyber insurer was pricing their cyber risk at more than 10 times that of auto-loss-risk. Adding back in liability, that factor is more than 20x!
How about something really exotic, I race Italian motorcycles. That’s gotta be really expensive from insurance perspective, right? (Again, removing liability), $45K in benefit against a $600 premium, my insurer prices their risk of losing my motorcycle on a racetrack at just: 1.3%
Are you TEN TIMES more likely to suffer a loss due to cyber than you are to get into a car accident? Even if you don’t know how insurance companies price their risk just understanding the differences in premiums and benefits between products can tell us a lot about where they feel real risks lay.
Given that driving a car is the most dangerous ordinary activity many of us will ever do, it’s hard to believe that cyber risk is that much greater! Your takeaway is that it seems like these companies have priced a huge amount of unpredictability into their risk – our boards probably should, too.