There's a second, subtle problem with the immature cyber policies currently on offer – lack of guidance. For cars, the insurers know a great deal about features that make them safer or riskier, and they also know about driver behaviours that are more or less likely to lead to claims. They can price the insurance to encourage better behaviour, and it works. Part of the reason our roads get safer every year is that insurers push car buyers who push car manufacturers towards ever safer designs.
This hasn't happened in cyber insurance - yet. When a company goes out to buy a typical cyber-policy today, they are asked to fill in a questionnaire about their organisation's security practices. I've spoken to people who fill in these questionnaires, and to the people who set them from the insurance side – neither believes they are really all that reliable. (Imagine if your car insurance company just asked you, before you got a policy, “are you a good driver – yes or no?” That would be ridiculous – they need some way to check.)
This pent-up demand has been sitting there, like a log jam on a river, waiting for the key blockage to be removed. As I work with insurance companies in Europe and the US, it's clear from the inside that the breakthrough is very near. All the insurers need is a little more data, about the actual security practices a company is using (analogous to car driver habits).
This is now happening, due to a collaboration between insurers, security technologists, and insured companies. The insured companies do not want the burden or the commercial risks of exposing details of how they run their security, even to their insurers, but they do want the insurers to help guide their investments towards the choices with real ROI. This is where third party technologies enter the picture. They can measure and quantify the defensive state and breach risk of each organisation by using standardised, repeatable yardsticks.
For security practitioners, the take-away from all this is to watch closely as the insurance market heats up, offering stronger policies with more financial incentives available to those who can demonstrate superior security practices. It gets a lot easier to communicate about security to the business when the CFO is hearing from the insurance broker about the discounts they can receive for investing in better security!
Dr Mike Lloyd, CTO, RedSeal.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.