While high profile companies seem like an easy target for cyber threats, smaller firms suffer more from such attacks.
Specialty firm Cyber Insurance said in a 2015 report that 62% of breaches affected small and medium businesses in the United States. Still, large corporations remain the biggest consumers of cyber insurance, with companies incorporating risk management strategies to their overall corporate strategic plans.
Currently available policies combine first party coverage and third party coverage, as well as risk management and post-breach services, loss-prevention and remediation tools.
However, unlike coverage for other industries, cyber insurance is in a state of flux, with no clear cut parameters for assessing risk. The risk profile of clients is often unique and specific, that they need highly customised products to cover their exposure.
Often, the parameters include scale of business, sensitivity of the data the company handles and stores, and its overall security posture.
Still, categorically quantifying an organisation’s posture and risks remains difficult. Currently, there is little reliable historical data on losses due to cyber threat, very little assessment ability to measure a company’s capability to handle incidents.
For instance, Anthem, the second largest health insurer in the US, is said to have shelled out more than $1 billion to cover losses, but its coverage is pegged at around $150 to $200 million.
To cope, insurance companies are opening cyber-security departments and pre- and post-breach services, data architecture analysis, monitoring, incident response, forensics, and others. Further down the line, carriers are seen to start hiring cyber-security specialists, and outsourcing to or buying into cybersecurity start-ups.
