Analysis: The insurance industry is still struggling to adjust to the cyber security landscape.
Barely a week goes by without a major new data breach being announced, or fallibility being exposed. The insurance industry has, somewhat inevitably, responded by creating cyber insurance products for firms.
Insurers are now putting up the price in the USA, according to Reuters, which means some more risky clients could be left out of pocket in the case of a major breach, as the policy will not cover it all.
Firms are also being increasingly selective about who they choose to cover. AIG’s policy covers $75m of loss from a breach, and the clients selected are those that are best at protecting themselves.
Anthony Hess, principal adviser in KPMG’s cyber security team, said: "The insurance market is adjusting their pricing to better reflect the changing landscape of cybercrime. Retailers and health care organisations may have been a relatively safe bet a couple of years ago, but the environment has changed and insurers are reacting accordingly. It isn’t the security posture of the insured that matters so much as their security posture versus the threats, and the threats have escalated.
Costs in the UK are now going up too, says Hess: "In terms of insurance premiums here in the UK versus the US the trends are broadly similar. However, taking into account the different notification laws and payment systems here in the UK I would expect to see smaller increases here versus the US, but each insurer makes their own decisions when it comes to underwriting."
Insurance companies are just another in a long line of industries having to adjust to the cybercrime a challenge.
Dave Palmer technology director at cyber security firm Darktrace, said "One of the key difficulties is without actuarial tables, and without an understanding of what the cyber risk to a company is how can you insure against it?"
Ken Westin, senior security analyst at Tripwire agrees the lack of data has been a problem, but thinks the situation is improving, ironically thanks to high profile breaches. He said: "One of the challenges for insurers was identifying the scope of potential financial liabilities when it comes to a data breach. Much of this has been due to the lack of data to understand the potential financial impact of a breach. However, with the rise in high profile breaches, insurers finally have data they need to assess risk and the results are staggering."
Palmer also points out that the cost of premiums varies widely. "The orders of magnitude are ridiculous," he said.
Additionally, the real cost of a breach can be far greater than just the lost data or intellectual property, says Palmer. It could include the lost of brand reputation, example. However, "mostly people are getting insured against the cost of cleanup, but nothing more," he says.
There views were added to by Mark McLaughlin, the CEO of security Palo Alto Networks. In a television interview yesterday he said: "The reason you can’t get insurance policies that actually pay out or get them at reasonable rates is the insurance business knows how to manage risk, right? They have no idea what this risk is here, the magnitude or what to do about it."
The risk of cyber attacks against firms is rising all the times, and insurance companies are going to need to adjust to protect them in this new landscape.