People have been talking about the inevitable rise of cybersecurity insurance for more than a decade now. A good early example is Bruce Schneier’s The Insurance Takeover essay from 2001. In spite of its promise, this market has been slow to build. This is surprising given the increase in the scope of the threat landscape and the prevalence of targeted persistent attacks (TPA), the main aim of which, typically, is fraud, financial gain, or the theft of intellectual property.

The number of insurance carriers that offer cybersecurity policies remains relatively small, numbering in the dozens. By comparison, 5,000 companies provide property and casualty insurance just in the United States. The underlying drivers that foretell a cybersecurity insurance market remain in place. If anything, the need for financial tools that allow organizations to augment risk/security programs with risk transfer strategies (e.g. insurance policies) is stronger than ever.