Insurers have yet to develop an evidence-based method to assess a company's cyber risk profile. This has resulted in high premiums, low coverage, and broad exclusions.
Cyber insurance is one of the fastest growing segments in the insurance industry. With the tremendous increase in data breaches, companies are looking for insurance products to cover them in the event of a loss.
As the Boston Globe recently reported, one in three companies now has insurance coverage against cyber losses. Last year 20% more cyber insurance policies were sold than in 2012, according to a Marsh LLC report.
Recently disclosed high-profile breaches at Target, Neiman Marcus, and other large retailers highlight the tremendous impact a cyber breach can have on a company -- both financial and reputational. The potential losses can be significant. Some analysts see the Target breach costs exceeding $1 billion, far surpassing their insurance limits.
A gift that keeps on giving
Target's massive holiday breach was a giant gift to insurers that have been pushing these policies for years. For the rest of us, it was a wakeup call. And as the demand for cyber insurance has increased, insurers have come up with new ways to offer policies. In 2013, insurers rolled out 38 new cyber insurance products, according to the insurance analyst firm Advisen Ltd.
A senior executive at Aon Risk Solutions recently told The Wall Street Journal(subscription required): "Inquiries from potential buyers [of cyber insurance] have tripled since the recent hackings and a greater portion of callers are buying." Though demand has certainly grown, cyber insurance is still in its infancy, and there is still a lot of education to be done on the subject as more and more companies conduct a majority of their business online, opening themselves up to data theft.
Companies ranging from single-site firms to multinationals generally deploy a wide array of techniques in an effort to thwart cyber attacks. However, not all techniques are effective, and not all companies implement those techniques in a manner that achieves optimal results. Even when a company does have a strong risk management program, most insurers don't have an objective, evidence-based method to assess its risk profile. This uncertainty and lack of objective intelligence can result in policies with high premiums, low coverage, and broad exclusions.
Wanted: evidence-based cyber risk ratings
Questionnaires used in cyber insurance underwriting as part of the application process can be broad and subjective, as well. They give an indication of security policies and procedures that may be in place at a given company, but not how effectively those policies and procedures are implemented. Two companies with similar security practices may have very different security outcomes. A recent blog post by George Hulme outlines how questionnaires may lead to a false sense of security for risk managers.
Further compounding the problem is a well-known fact among security professionals: Hackers are becoming ever more sophisticated in the methods they use to attack companies, which makes it difficult for companies to keep up with the latest security practices.
An objective, evidence-based cyber risk metric is needed to measure security effectiveness, not simply policies and procedures, A cyber risk metric can offer underwriters a uniquely distinctive tool in helping to assess the potential for cyber loss at a particular company. Algorithms used to calculate cyber risk metrics can analyze vast amounts of data, including Internet communication and evidence of actual security compromises and vulnerabilities. Underwriters can use this information, in addition to their other underwriting procedures, to provide a critical window of visibility into a company's security posture.
Security ratings can transform the insurance industry by allowing insurers to compare companies empirically against one another and industry averages. This provides underwriters with an objective method to gauge the cyber risk of prospective insurers and offer insurers the capability to continuously measure and track the overall risk of their entire portfolio.
Ira Scharf is Chief Strategy Officer with BitSight Technologies. He previously was President of AirDat and served as General Manager of Energy & Risk for the Weather Channel. View Full Bio