The cynical would suggest that cyber insurance is growing as some look for a cheaper route to manage risk. However many see the cyber insurance industry as potentially the new enforcer of good security practices.
Over the last decade, we have seen regulation being applied, be it by nations or industry groups, and most have faced the same challenge; that is, regulation moves at a snail’s pace compared to the rocket ship that is the evolution in IT and cybersecurity. There is a clash between dynamic, evolving cybersecurity in which the bar of what is state-of-the-art continuously evolves, be it from new IT technology use cases, changing threats, or new practices to mitigate these risks.
The impending EU regulations, the Network Information Security Directive and the Data Protection Regulation Reform, both leverage the term and concept of state-of-the-art, suggesting that, in the latter, business should have regard for this cybersecurity capability relevant to the risk and, in the former, businesses should have at least state-of-the-art security technology.
Could the cyber insurance industry, in effect, become the dynamic new regulator of this in the future as cyber insurance adoption grows? Businesses will be eager to prove they are applying such state-of-the-art practices to reduce their premiums, and insurers will be looking to validate if a business can be insured and just what level of premium they should be offered based on the business’ capabilities.
As the cyber insurance market grows, it will surely become more competitive, and so, such analysis would seem key to being able to offer better premiums where the risk posture allows. An example of this is IASME (a UK consortium for small- to mid-sized businesses) tying cyber liability insurance coverage for small businesses to the UK Cyber Essentials program certification that aims to assure a basic level of cybersecurity. They are 1 of 4 accreditation bodies for Cyber Essentials certification in the UK.
The question all this raises is whether those in the insurance industry will have to become cybersecurity experts, and the likely reality is not, as there is already a skills’ shortage in the cyber market. What seems more likely is partnerships will be formed with the security industry so they can gather better intelligence on both the current threat landscape and capabilities, looking to validate their real-world effectiveness and identify best practices.
Much as home insurance is linked to where you live, cyber insurance will be linked to the industry you are in, and where you do business, to better identify the likelihood and scope of claims. Today some cybersecurity vendors, including Palo Alto Networks, already track such data and, with the Cyber Threat Alliance, can track and advise on advance threats.
As cyber insurance evolves, it will require a tripartite relationship amongst knowledge of the risk, relevant state-of-the-art capabilities to prevent the impact, and the skills to validate the ongoing application. It will be interesting to see if, in the longer term, insurers will build out their own list of approved requirements and capabilities. However, unlike most insurance services, which have been built from decades of knowledge to generate the actuarial data that balances premiums against claims, cyber insurance is still relatively nascent. I would challenge there are probably very few insurance markets that are as dynamic as cybersecurity. Only time will tell if the potential benefits for all, with insurers growing involvement in the cybersecurity space, come to fruition.