Challenges and Opportunities for Cyber Insurance
Cyber Insurance Challenges
There are several challenges when it comes to the cyber insurance market. The first is that relative to other types of insurance, cyber insurance is novel. Because of that there has yet to be a standardized tool set to handle all of the nuances associated with it. Next is that insurance does not function well when it comes to incomplete information or information asymmetry. There are obstacles for an insurer to get reliable information about the risk exposure of the insured. It is even more difficult to determine if the risk exposure of the insured has changed in an environment where technology moves so quickly and the attack landscape evolves almost daily. Some customers do not want to reveal the details of their environment and some of their high risk behaviors.
Insurers must also be cognizant of the threat landscape. Attacks are constantly evolving and changing, and they are very difficult to keep up with in real time. A new devastating attack could come out of the blue that cannot be anticipated. So the risk today can be completely different than tomorrow’s.
Then there are questions: How does one know how much insurance to get? How does one know how much damage was done? When it comes to car, life, health insurance it is very quantifiable. For a car you know how much a car costs to replace. You have a feel for how much it would cost for any injuries associated with an accident. You have historical information that you can reference to derive estimates for prices today and you can even forecast into the future how much prices will fluctuate in time. Cyber is totally different. How do you know how much data is worth? How much is reputation worth? How do you forecast what it’ll cost to remediate an incident? Being able to answer these questions accurately with real numbers is essential to the ability to function as an insurer as well as maintain healthy and happy relationships with customers.
Role of Insurers
Fortunately there are ways to address each of these issues. Health insurers are able to bridge the gap of information asymmetry by having the insured conduct a medical checkup. Or by filling out a survey that assesses their habits. By developing partnerships with information security companies, they are able to serve as an evaluator of the good or bad habits that define their capability of being resilient against attack. An evaluator can identify problems and help provide guidance in how companies can take effective measures to reduce their risk exposure.
Also these organizations are keenly aware of the threat landscape and are in the know when it comes to the latest iteration of attacks that are targeting different industries. Providing the customer base with notifications of outbreaks that are applicable to them could allow the customer to take preventive measures to thwart an attack before it starts.
Security providers are not only able to determine the security posture of the business but we can provide key insights into helping to quantify the risk. This helps you determine premiums you should be charging as well as helps them realize the position they are currently in and allow them to determine how they should address this risk.
The fortune 500 and fortune 1000 companies have been using various methodologies for quantifying risk analysis and using those numbers to help them make decisions. They make decisions that cost tens of millions of dollars so they spend millions of dollars to conduct a thorough analysis to determine which actions they should take. They hire high priced skilled analysts and develop risk registers with pretty graphs that are managed by the Chief Risk Officers.
Wildcard utilizes a cyber value at risk framework to quantify the risk facing an organization based on the threats and associated impact. We are able to adjust based on the mitigating controls that are currently in place or could be put into place. Now we can demonstrably show the minimum and maximum impacts of an incident. That way, as insurers, you are able to offer the appropriate insurance packages for their risk level.
Insurers should also take steps to determine the root cause of a claim. How do you know that the claim wasn’t filed fraudulently? How do you know that the incident is in fact over? An adversary could still be lurking in a network and strike again leading to another claim. In the event of an incident the insured will need someone to come in and see if data can be recovered which could potentially limit the cost of the claim. Also someone should come in to see if it can be determined who was behind the attack and involve law enforcement where necessary.
Essentially, cyber insurance should be an entire suite of services that is offered to the customer. Effective Cyber insurance is not just about coverage. Information security is a complex issue and it shouldn’t just about about transference of risk. Insurers can’t just be about a loss event. We have to offer additional services and add value to an organization by offering additional services like risk consultation, risk monitoring and assessment, prevention, data breach resolution and recovery after a cyber attack. It also means cultivating a close relationship with customers.
As a part of cultivating this relationship, it is necessary that customers are given a sense that they are being taken care of. As such insurers need to clarify the language around what is covered and what is not. When customers are in the midst of an attack, they need to feel like they are being supported. Many players in cyber insurance industry have been getting a bad reputation because the policy is ambiguous about how their customers should be protected. The language in policy should be clear and not open to interpretation. We should be using language that is explicit not nebulous. Customers should understand exactly what is covered and what is not. And perhaps reminded of where they are vulnerable from time to time.
For more information on our cybersecurity solutions,
email [email protected], or call (715) 869-3440