Most traditional commercial general liability policies do not cover cyberrisks, but cyber incidents were ranked as the third-highest global business risk in 2016, Allianz’s Risk Barometer determined. The average cost of a breach in the United States reached $7 million in 2016, a Ponemon Institute survey cited in a new Insurance Information Institute (I.I.I.) report found.

U.S. insurers are becoming more skilled at underwriting and pricing stand-alone cyber insurance policies as businesses show a greater interest in protecting themselves from data breaches and attacks, according to the I.I.I.

“More than 60 carriers offer stand-alone cyber insurance policies, and it is estimated the U.S. market is worth over $3.25 billion in gross written premiums in 2016, with some estimates saying it has the potential to grow to $7.5 billion,” said Dr. Robert Hartwig, special consultant to the I.I.I.

A stand-alone cyber insurance policy typically offers the following coverages, the I.I.I.’s report explains:

  • Liability—Covers the costs (e.g., legal fees, court judgements) incurred after a cyberattack, such as data theft, or the unintentional transmission of a computer virus to another party, causing them financial harm.
  • Crisis Management—Covers the cost of notifying consumers about a data breach that resulted in the release of private information, and providing them with credit monitoring services, as well as the cost of retaining a public relations firm or launching an advertising campaign to rebuild a company’s reputation.
  • Directors & Officers (D&O)/Management Liability—Covers the cyber liability risks faced individually by a company’s key decision makers while acting on behalf of the company.
  • Business Interruption–Covers loss of income due to an attack on a company’s network that limits its ability to conduct business.
  • Cyber Extortion—Covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down the blackmailers.
  • Loss/Corruption Of Data—Covers damage to, or destruction of, valuable information assets as a result of “viruses, malicious code and Trojan horses,” the white paper states.
  • Criminal Rewards—Covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of a criminal who has attacked a company’s computer systems.
  • Data Breach—Covers the expenses and legal liability resulting from a data breach.
  • Identity Theft—Provides access to an identity theft call center in the event of stolen customer or employee personal information.

Cyber risks are still challenging for insurers to underwrite due to the constantly changing range of perpetrators, targets and exposure values; a lack of historical actuarial data; and the interconnected nature of cyberspace, which makes it difficult for insurers to assess the likely severity of cyberattacks.