While there is obviously no cause to celebrate the devastation of the past years’ big cyber hacks, the consequences of these hacks have undeniably led to more urgent infosec development and practices. As Robert Parisi of the network insurance broker Marsh USA puts it, “The number of (data) breaches in 2013 certainly was the last straw in the camel's back." This “last straw” suggests that after 2013, security became a necessity, no longer a luxury.
Since 2013, the security industry has become less concerned with the question of if you will get hacked, and more concerned with the question of when you will get hacked. Best security practices now include how to respond to a breach as well as how to prevent the breach in the first place—both important steps in any organization’s security plan. In response to this call for urgent and better security, the industry of cyber insurance is rising as it works towards both improving prevention methods and providing assistance and compensation in the aftermath of a hack.
Like other forms of insurance, cyber insurance is when an organization or individual employs the use of a third-party insurer who guarantees compensation for loss or damage of a property. In the case of cyber insurance, the insurer offers compensation for damage done as it pertains to Internet risks and loss.
According to a recent article by the Financial Post, cyber insurance has been around since the scares of “Y2K.” As it currently stands, cyber insurance typically only “covers the costs of business interruption, data destruction, and extortion in cases where malware known as ‘ransomware’ freezes workers out of their own company’s systems unless the company pays the hacker.” However, many of these policies are expanding to also include:
While the potential benefits of a fully functioning cyber insurance are certainly large, many experts remain skeptical over the industry’s capacity for cyber coverage. Most issues foreseen by experts in the security industry have not yet been resolved, leaving many concerned about the false protection cyber security appears to market.
The main challenges of the cyber insurance industry are in consequence to its relative youth and lack of hard data. When compared to other forms of insurance, cyber insurance has no substantial way of estimating overall cost and damage since every hack is highly individual. When interviewed by the Financial Post, Paul Schiavone of Allianz Group acknowledged “the relative lack of data makes it difficult to know if the policies are properly calibrated to the risk when it comes to cyber insurance.” This lack of data limits the capacity that cyber insurers have to predict costs and depth of coverage, as well as to predict their own ability to support and compensate any organization in the event of a hack. Other concerns for cyber insurance include lack of thorough vetting on the part of the insurer before offering insurance to organizations and fine print details that are crucial but often overlooked by purchasers.
As the Internet of Things becomes an even greater part of everyday life, manufacturers and users will see an increased need for better, evolving security measures. Cyber insurance may have the potential to be a perfect resolution to many of the inherent concerns over IoT devices. However, in its current state, cyber insurance lacks the data and structure to provide a real tangible solution. Cyber insurance’s future movement will (all fingers crossed) make it a more promising industry in the next few years.
The concerns raised in this article are not to suggest that cyber insurance could not serve as a highly beneficial supplement to any security infrastructure. Rather, raising these concerns is only for the purpose of illustrating reasons that organizations must remain active in their security plans instead of relying solely upon insurance providers. An efficient security strategy requires constant attention and development to succeed.