Cyber-insurance will never become an established part of IT risk management until governments are prepared to backstop liabilities and demand contractors carry cover before being awarded contracts, a new analysis has suggested.
According to NSS Labs’ analyst brief Cybersecurity insurance: self-insure or hedge your bets? [paid report] the current US market is made up of only a few dozen providers compared to the 5,000 that offer other types of business insurance.
Given the nest of inhibitors identified by author Andrew Braunberg it’s amazing that the US cyber-insurance industry exists at all, but his core argument is one worth looking at; insurance has over time acted as a positive influence on other industries to improve safety and performance, so why not IT as well?
If it’s desirable, the question is how to kick a near-dormant market into life.
The first major hurdle is simply the incredible difficulty in quantifying losses and backing up cyber-insurance claims with objective data. Cyberattacks are hard enough to stop; it turns out that defining their extent, and the cost or remediation, is even tougher.
A second if potentially fixable issue is that there are no agreed risk management standards that make it straightforward to compare the risk associated with one firm against another.
A more technical way of stating this would be that insurers simply can’t work out which protections might reduce a firm's risk profile because nobody is sure which security technologies actually work.
Adding to the negative feedback loop, cyber-insurance customers don’t get a significant reduction in premiums for investing in specific technologies to offset the cost.
“Customers are not seeing sufficient financial incentive, with respect to policy discounts, to spend more on security products as a way to reduce policy premiums,” said Braunberg.
Braunberg’s solution is interventionist, starting with the need for government to ask that suppliers carry cyber-insurance in the same way they expect general liability for those firms’ workers and infrastructure.
This would overnight give insurance vendors a stream of actuarial data on the success or failure of certain technologies, making it easier to price cyber-insurance for the market generally.
“Hopefully this would create a virtuous cycle of incremental improvements to security technologies and insurance carrier cyber security risk management strategies,” said Braunberg.
Not all recent analyses are quite as down-in-the-mouth about the US cyber-insurance sector.
A recent report by broker Marsh USA found that demand for cyber-insurance among its customers had risen by a third during 2012, across all sectors.
The absolute levels and importance of cyber-insurance remains small, however, so it could be that the relative immaturity of the security industry is a defining factor and things are starting, slowly, to change.