Insurers working to provide their customers with adequate cyber coverage must overcome a slew of challenges. Here are eight of the most formidable:
Lack of Historical Data
While insurers writing policies for flood insurance, for example, can draw on a rich history of this type of natural disasters to formulate a model, they are left empty-handed when it comes to historical data on cyber attacks. It’s a relatively new field, so there’s no historical precedent to speak of.
Lack of Sufficient Cyber Data to Enable Accurate Underwriting
Not only is there a lack of historical data (above), in many cases the law doesn’t require organizations to reveal cyber breaches, other than those impacting consumer data. A significant number of cyber attacks are thus left unreported. This deprives insurers of the data they need to measure all the costs of a cyber attack, making it difficult for them to write effective cyber policies.
Organizations’ lack of knowledge about their internal readiness for cyber attacks makes underwriting exceedingly difficult for insurers.
Difficulty in Defining a Cyber Attack
Insurers are still trying to come up with precise and accurate definitions for cyber attacks and the impact of new technologies, such as IoT. Without clearly defined threats and an understanding of how they can impact insurers, cyber insurance policies could lack effectiveness and expose organizations to significant damage in case of major cyber attacks.
Low Awareness of Risks
Many organizations don’t understand the full scope of the cyber risks confronting them and the insurance coverage options available. This sometimes prevents them from seeking any coverage.
No Geographical Limitation
Geographical locations for cyber insurance coverage are far more undefined than traditional coverage. For cyber attackers who once inside the system can operate freely irrespective of the location of any of the organization’s premises, physical geographical boundaries are irrelevant.
The Actuarial Paradox
Cyber insurance is fundamentally different from other types of coverage in one key area that Symantec calls the “actuarial paradox.” The dilemma: if a company gets breached and responds strongly, is that company then more prepared and thus a better risk in the future? If so, can the insurer charge a lower premium for previously breached companies if their responses to those attacks have lowered future risks?
Prevention or Insurance?
There is a legitimate debate brewing among organizations as to whether to invest money in buying a cyber policy, or to spend the money on better firewall and cyber protection.
For more information, Sapiens’ NEW white paper: Insurers in the Crosshairs: Winning the War Against Hackers, explains the cyber obstacles insurers must overcome, offers five best practices and explains how Sapiens can help. Our infographic 8 Challenges of Providing Cyber Insurance offers some additional flavor on how insurers (and the world) are under cyber attack…