While the overall cyber risk insurance market is growing tremendously, larger corporate clients have driven much of the expansion. Smaller companies, on the other hand, have not followed suit, Deputy U.S. Treasury Secretary Sarah Bloom Raskin said recently.

“Cyber insurance take-up rates at smaller companies [with revenue less than $1 billion) has not grown,” Raskin told the Feb. 10 gathering of the Federal Advisory Committee on Insurance (FACI) in Washington, D.C.

“It creates a gap between coverage of large institutions and small,” Raskin said, adding that the imbalance was “particularly troubling” in the insurance industry’s struggle to concoct coverages to address the fast-evolving problem of cyber attacks.

FACI is a group of industry, regulatory and academic experts that advises the Federal Insurance Office on policy matters. Raskin gave the committee an update on the cyber threat issue, as well as related cyber security issues addressed at previous Department of Treasury-related round-table discussion involving insurance and other parts of the financial sector.

Among the industry issues worth noting: She told FACI members that the cyber insurance market doubled to $2 billion from 2013 to 2014, though “it remains a small fraction of the overall U.S. insurance market.”

Raskin also said that the Treasury Department and the Federal Insurance Office want counsel from FACI on how to spark a more robust cyber insurance market:

As well, Raskin asked FACI to address the following issues:

  • Why do small (and medium-sized) businesses lag behind their large counterparts in obtaining cyber insurance?
  • How can cyber insurance become more accessible and beneficial to all institutions?
  • Are there more systemic ways to bolster cyber security of third-party vendors?
  • How can companies be aided identifying their specific cyber risk and the right type of cyber insurance that might mitigate that risk?
  • How can government encourage the collection of cyber insurance claims data to facilitate better modeling of cyber risk?
  • How might aggregate risk exposures play out in the event of a widespread attack.

FACI committee member Daniel Glaser, president and CEO of Marsh & McClennan Companies Inc., responded that he has “seen the insurance industry in many different ways promote risk mitigation, risk avoidance and shared best practices as it protects capital” as far as cyber security.

Another FACI committee member, John Franchini, superintendent of insurance in New Mexico, noted that regulators in New York and New Mexico have pushed for greater cyber security among insurers themselves.

“We’re actually reviewing all the cyber security [insurers] have in place,” Franchini said, noting that penalties have been in play for insurers found lacking.

He added: “We have been very happy with our progress,” but urged other states to pursue similar action.