Can Cyber Insurance Companies Accurately Determine Cyber Risk?
Hardly a day goes by when we do not hear about a significant hacking event with serious repercussions. Organizations face downtime, loss of data, potentially significant fines, and issues with reputation. Little wonder that they are looking for protection through insurance policies at the same time as they take steps to mitigate the risk. Yet how do cyber insurance companies accurately quantify these risks, and how will their decisions affect premiums?
Appetite for Risk
Certainly, insurance companies are learning as they go and developing methods to help them assess risk. It’s not easy for these companies to determine how much coverage they will give, as it is difficult to quantify the overall appetite for risk.
Steep Learning Curve
Individual companies may be in different positions along the learning curve and are likely to have a varied outlook. Some may already be established in the market and offer cyber policies to organizations, while others may be unsure how to proceed. Unfortunately, there is a limited amount of information regarding insured loss, which can make it hard to underwrite with confidence.
Furthermore, some insurance companies struggle to differentiate and therefore establish dedicated cyber insurance policies. This is because some attacks that result in data losses and financial implications may already be covered under a professional indemnity policy.
Some people believe that software tools could help define the market and allow insurers to come up with accurate and sustainable quotes. These tools may augment existing methods based on exposure management, while other companies may already have a loss estimation methodology.
Certainly, data represents the biggest challenge of all. Some information may be available from outside parties, but it can be hard for an insurance company to assess their exposure and promote a premium. The position becomes even harder due to the fast-moving nature of the threat and the emergence of new technologies and different terminology.
Those outside parties may become crucial as plans become more advanced. Third-party vendors can help clients assess risks, identify vulnerabilities, and anticipate attacks. As these models mature, insurance companies may have more accurate and reliable data to help them with their projections.
The largest challenge remains the gap between the insurance world and cyber security experts. These two sides will need to work more closely to collect and share data so the insurers can better understand the risk. This will allow them to create meaningful policies and set premiums that make sense for all parties.