Several events have particularly contributed to this, not least threat incidents like NotPetya and regulatory developments like the passage of the European Union’s GDPR, with the result that cyber insurance premiums have grown by almost 25 times since just 2015. 

One size doesn’t fit all: the insurance view of cyber risk

Most major healthcare network system attacks in recent years have featured a payout, with the verified $22 million Bitcoin payment made by Change Healthcare’s parent company UnitedHealth Group (UHG) among the most recent examples. More significantly, rapid payment is logical from the primary perspective that impacts the victim’s risk outlook during a crisis — that of the insurer.

If risk is uncertainty that one can put a price on, then insurance companies rely on data about threat behavior and danger potentialities to construct a functional view of probability across risk categories. Car accidents, for example, are notoriously straightforward to model statistically, given decades of data from all parts of the developed world available for analysis. Cyber risk, by contrast, is less straightforward and suffers from a relative shortage of available examples.