A handful of early decisions from courts in the US have sent mixed signals to insurers. In one case, Travelers Indemnity, an insurance company, asked a federal court in 2014 to rule that a general liability policy it sold to PF Chang did not cover a breach of customer data at the US Chinese restaurant chain. It won that case but lost another similar suit.  In response to this uncertainty and a signal that some have now acknowledged how exposed they may be, many companies are responding to the problem and have started to write exclusion clauses into policies noting that cyber attacks and other related risks are not covered.  “One of the key issues for businesses today are the gaps in traditional insurance cover that can leave companies exposed to the impact of cyber threats. There’s an urgent need for insurers to properly redefine terms of cover to meet the rapidly changing cyber threat environment,” said Jason Kelly, AIG’s head of liabilities and financial lines for greater China and Australasia.

Stephen Greeves, analyst at FMP Insurance Services Europe says, “the Cyber-Crime Insurance is an area of insurance that is rapidly expanding. Unfortunately the insurers have limited information to assess suitable premiums. This could result in an underestimation of the liability the insurers are undertaking.” Cyber insurance, which first emerged two decades ago, is a $2bn-plus market and forecast by insurance credit ratings and information service to expand to $7.5bn by 2020. Having grown globally at 20-25 per cent annually over the past three years, cyber insurance has been embraced by an industry ravenous for sources of growth.  Despite that eagerness cyber insurance remains, say Sompo and others, under-developed as a market. Insurers have 100 years of data on automobile accidents, and more than that on many crimes, say experts on cyber security, but most incidents go unreported and insurers lack data on the likelihood of a breach.