Cyber Insurance

How to Close the Cyber Insurance Coverage Gap

Noah Simon | March 4, 2015

During a Feb. 10 gathering of the Federal Advisory Committee on Insurance (FACI) in Washington, D.C., Deputy U.S. Treasury Secretary Sarah Bloom Raskin highlighted the coverage gap that exists in the cyber insurance market. Raskin points out that the cyber insurance market doubled to $2 billion from 2013 to 2014, but that small and medium businesses (SMBs) “remain a small fraction of the overall U.S. insurance market.”

There is a demand in the SMB market to purchase cyber insurance policies. It is important that insurers take advantage of this market opportunity if the cyber insurance market is to continue to grow.

Seizing this market opportunity would also make SMBs more secure. Greater adoption of cyber insurance could help create baseline risk management standards and practices as underwriters determine the levels of risk they are willing to take on.

However, given SMBs' current security performance, insurers have reasons to hold out. According to a recent PWC study, larger firms are significantly better at detecting breaches. In 2014, large organizations with annual revenues of $1 billion or more detected 44% more incidents compared to 2013. Meanwhile, companies with revenues of less than $100 million detected 5% fewer incidents in 2014 than they did in 2013.

This decline is not simply because smaller organizations are targeted less by attackers. The study also states that “sophisticated adversaries often target small and medium-size companies as a means to gain a foothold on the interconnected business ecosystems of larger organizations with which they partner.” This highlights both the importance of continuous vendor risk management, and why we all need to focus on improving security performance in the SMB market.

How can SMBs and insurers close the gap?

To overcome budget and resource constraints, small businesses will need to demonstrate that they value security just as much as larger firms. If small and medium size firms are continuously monitoring their networks, insurers may feel more confident offering reasonable coverage at more favorable costs.

In the aforementioned gathering, Treasury Secretary Raskin pointed out that insurance companies need to create better policies to cover the SMB market. However, before better policies become available, smaller businesses will need to do their part in gaining the trust of insurers. Demonstrating improved performance over time is one way SMBs can do that.

If small and medium-sized businesses can document improved security performance in the coming year, it is likely insurers will be willing to offer more coverage. It will be interesting to see how much the coverage gap narrows in the near future.

Suggested Posts

A Security Score vs. A Security Rating: What’s The Difference?

This post was originally published July 18, 2016 and has been updated for accuracy and comprehensiveness.


As Cyber Insurance Claims Soar, Businesses Need to Demonstrate a Standard of Care

Hardly a day goes by without the emergence of a disturbing new trend in cyber crime or headline-grabbing hack. Hackers are getting smarter and threat vectors are constantly evolving. The escalating threat is forcing businesses to file more


BitSight EXCHANGE Sound Bites: Transferring Risk Through Cyber Insurance

In the months since BitSight’s inaugural EXCHANGE forum inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together...


Subscribe to get security news and updates in your inbox.