The State of Cyberinsurance
Good essay on the current state of cyberinsurance.
So where does that leave the growing cyber insurance industry as it tries to figure out what losses it should cover and appropriate premiums and deductibles? One implication is that the industry faces much greater challenges than trying to quantify or cover intangible—and perhaps largely imaginary—losses to brands’ reputations. In light of the evidence that these losses may be fairly short-lived, that problem pales next to the challenges of determining what should be required of the insured under such policies. Insurers—just like the rest of us—don’t have a good handle on what security practices and controls are most effective, so they don’t know what to require of their customers. If I’m going to insure you against some type of risk, I want to know that you’re taking appropriate steps to prevent that risk yourself 00 installing smoke detectors or wearing your seat belt or locking your door. Insurers require these safety measures when they can because there’s a worry that you’ll be so reliant on the insurance coverage that you’ll stop taking those necessary precautions, a phenomenon known as moral hazard. Solving the moral hazard problem for cyberinsurance requires collecting better data than we currently have on what works—and what doesn’t—to prevent security breaches.
Dave Walker • June 16, 2014 1:54 PM
Yup, good piece.
One important thing which doesn’t get quite the profile it ought to, though, is the nature of security vulnerabilities and the scope of the compromises which can result; it’s not an uncommon occurrence that one minute “a reasonable percentage” of the commercial Internet is considered “reasonably secure”, and the next minute a vuln is disclosed which has lots of organisations needing to rush to patch it.
Therefore, with such spikes in risk exposure, cyber-insurance isn’t a game to play, until there’s cyber-re-insurance to back the cyber-insurers.
The actuaries are still going to have huge headaches, as the article describes, though.