With major companies all relying on their computers to store their valuable data, cybersecurity insurance is more important than ever before. Insurance providers, however, are finding it difficult to properly quantify cyber risk.
In 2015, the National Association of Insurance Commissioners (NAIC) implemented guiding principles for insurers underwriting cyber risk. Although a great starting point, there is still no standard or valuation approach on which the industry underwrites cyber liability coverage.
Without a standard, insurers could over- or underestimate the value of their clients’ data assets, which could be catastrophic. Overvaluing the data could impose an excessively high premium, while undervaluing it could leave the clients’ own assets at risk since the insurers only have to meet the commitment agreed upon.
Also of note is that current cybersecurity insurance policies only cover a portion of the direct cost.
At present, cybersecurity underwriters use inputs from information security tools such as Security Information and Event Management (SIEM), as well as structured questions in many cases, to help them anticipate possible cyber-attacks. These tools, however, are limited only to an organization's past security incidents, outlining the main cause of an incident, and when and how a cyber breach happened—all impractical when insurers need data to predict and anticipate future attacks.
A feature on
CSOOnline.com attempts to find possible answers to the issue.
One suggested approach involves analyzing the associated costs with updating or rebuilding a business after a breach, based on existing disaster recovery plans.
Another approach entails setting up data controls that continuously monitor an organization’s data environment. The data controls also monetize the organization’s data value based on their usage, putting a quantifiable price on the organization’s data assets.
Related Stories:
Morning Briefing: UN’s Ban Ki-moon praises insurance industry on climate change
These roadblocks are slowing down the cybersecurity insurance explosion
