Cybersecurity insurance market for SMEs still in its infancy

For the first time, a scientific field study has been performed on the Dutch cyber insurance market for SMEs. The reason: SMEs underestimate the dangers of cybercrime and insurance can help to contain the risks. Furthermore: the last research on the subject was done 10 years ago in the USA. In this study, nine insurance firms were put to the test by a consortium from Leiden University, Delft University of Technology and Erasmus University Rotterdam.

Nine insurance firms put to test

Tenders were requested on behalf of six companies, ranging from an ‘adult entertainment website’ to a local baker. The nine insurance firms were: ACE, AIG, Allianz, AON, CNA, Chubb, Hiscox, HDI-Gerling and XL. The key question was: is the market in line with economic theory regarding (cyber) insurance?

Results

Here is a selection of the results that are relevant to SMEs and policymakers:

  • The market is very small, there are actually only six insurance firms with a varied portfolio. For comparison: There are 36 insurance firms that offer car insurance.
  • Policies are extremely difficult to compare, not only for SMEs, but also for the experts who were consulted. Moreover, there are huge differences between the policies, including coverage, excess, application procedure (a simple e-form versus 18 pages) and exceptions.
  • Most insurance firms do not cover outsourced IT systems (as commonly used by SMEs).
  • Cyber insurance would appear to be relatively expensive: insurance starts at €1000 a year with high excess.

Recommendations

The researchers have made a number of policy recommendations, including:

  • Look into the possibility of a ‘basic standard policy’ for cyber insurance in order to make comparisons easier.
  • Look into the insurance firms’ requirement to spread risk, as there are other options, including ‘pooling’ risks themselves.
  • For insurers: Make the application procedure easier.
  • For insurers: Share data about actual damages incurred in order to gain a better picture of the market.

Note to the editor:

For more information about our research into the cyber insurance market or the Leiden-Delft-Erasmus Centre for Safety and Security, please contact Bernold Nieuwesteeg: nieuwesteeg@law.eur.nl. 

 

More information
Listen to the radio interview with researcher Bernold Nieuwesteeg (in Dutch)