When a few high-profile hacking incidents hit household-name firms like Target and Home Depot in 2014 and 2015, some in the insurance industry – and more than a few in public life– said that cyber risk required an expensive new government solution.
The threat of a major Internet outage caused by hackers, they said, was an "uninsurable" systemic risk that would impact all economic sectors at once and more-or-less required government protection in the form of a "backstop" that would pay high-end losses.
Certainly, some firms had reason to think that their bills for internet-related coverage were going to soar. May 2014 changes made by the industry advisory firm ISO to its standard commercial general liability policy (used by many private companies) included much broader exclusions of the kinds of cyber risks that general-purpose commercial insurance policies once covered. Companies now usually have to buy separate cyber insurance policies in what's called the "standalone" market. More than a few firms experienced a degree of sticker shock when they had to buy these new policies for the first time in 2014 and 2015 and the market for them remains very fluid.
But as firms with cyber insurance renew their policies (often for the first time), something is happening that ought to warm any free marketer's heart: The market is working and driving prices down. Even though many kinks remain to be worked out, Marsh Inc., the world's largest insurance broker, reports that prices have fallen about 13 percent in the highest-risk industries. Meanwhile, existing players in the cyber-insurance market continue to see significant business growth.
The market still isn't stable (brand new markets seldom are) but the evidence indicates that insurers are willing to sell coverage at a price that buyers are willing to pay. Prices might drop further still.
This doesn't rule out the possibility that there could be some risks somewhere with which the private sector just can't deal. But the ones easiest to conceive remain those that involve physical destruction of infrastructure. These would be either acts of terrorism (which an existing $100 billion federal backstop covers) or war (which has never been insurable).
In any case, there's no law of nature that says cyber insurance is the only way to manage risks associated with the Internet. Firms might find it better to hold larger reserves, invest in security or use alternative financial arrangements like bonds to manage their risks.
This doesn't rule out the idea that there might one day be a need for some expanded government role. But the latest news makes one thing clear: The burden of proof ought to remain very much on those calling for more government intervention.