The increasing frequency and severity of cyberattacks is driving huge demand for cyber insurance, and as our lives become ever more influenced by smart technology, the applications of cyber insurance grow more diverse. But how well is the cyber security industry maturing to support such offerings.
As Deloitte wrote recently in “Demystifying cyber insurance coverage” there are several roadblocks within businesses and the cybersecurity industry itself that are preventing organisations from protecting themselves after an attack.
What are typical pain points insurers face today when it comes to Insuring for Cyber-Incidents?
- An escalating growth in demand, but a lack of relevant information, and therefore accuracy, in pricing the risk
- An awareness that earlier market higher-risk products can carry high margins, but that may be an inadequate reward for mitigation and settlements that can scale to eye-watering levels quickly
- Services that anticipate the need for a more proactive stance – protecting, managing and insuring against cyber extortion for example
- Acknowledgement that cyber-attacks are not only about IT crime anymore, but business interruption and business information risk overall
- Putting value on the very intangible but incredibly valuable concept of digital assets.
What are today’s cyber insurance challenges and how can we solve them?
This is an early stage and fast growing market with some common concerns:
- A lack of actuarial data
- Aggregation concerns
- The unknowable nature of all potential cyber threat vectors
Nevertheless, businesses like Hiscox and other leading insurers in the UK are offering well thought-through programs that extend to integrated response as well as taking care of the more traditional insurance of “promise to pay”.
The insurance industry overall has been developing new cyber incident models and simulations. It has been focused on growing a database of information on economic consequences and business interruption perspectives, not to mention other monetisable data points.
All of these critical data points and feeds need to be supported by a clear view of which valued data assets are being insured, and their value. This must be enforced by a more integrated landscape view and executed with more structure if we are to step our game up together.
To address this, there is a need in the industry for:
- Cyber incident information sharing: pooling brings volume and statistical relevance, especially through a history of standardised information
- Cyber incident consequence analysis: enough quality information to be able to estimate first, second, and third order magnitude effects of cyber-attacks on infrastructure
- Mature Enterprise Risk Management programs: scoring and managing risk needs to become more scalable more packaged, more standardized, and consistent.
What can service providers do to supplement the efforts being made by the insurance industry?
The insurance industry needs more data, with history, at volume, in order to develop more integrated risk strategies and foresight through actuarial data over time.
Just as providers like Hiscox offer an end-to-end service – including legal advice, communications, credit monitoring, call centre support, and IT forensics – cyber security providers must also take a more holistic approach.
The identification of critical information assets, and a more focused understanding of the measures taken to protect these assets, implies a level of business integration across multiple stakeholders that doesn’t exist in most organisations today.
We have a great opportunity to create and establish the first standardised CERT approaches incorporating a more comprehensive and actionable platform. This will allow us to ensure higher-quality up-front asset discovery, while providing greater rewards than merely ensuring best practice.
-By John Madelin, CEO at Reliance acsn