Cyber Insurance Overview

Cyber insurance is a relatively new offering compared to property and casualty insurance. However, most insurance companies are treating them exactly the same from a limits, actuarial, and business perspective. Fundamentally, this is a mistake. Even if we had substantiative historical cyber data, using historical data will not correlate to the cyber risk, the company currently has. When cyber events are detected, they are remediated and cease to be a sustainable issue. There likelihoods were 100%. The current insurance industry approach to relying on sound actuarial data that is derived from a largely static body of incident data does not work in cyber insurance.

The cyber insurance market in many countries is relatively small compared to other insurance products. The underwriting criteria for insurers who offer cyber insurance is in its' infancy, and underwriters must actively work with cybersecurity companies to develop their effective products.

Cyber insurance is a risk transfer mechanism that acts as a buffer against losses associated with data breaches, business interruptions, and regulatory losses.

Bruce Schneider has argued that existing insurance practices tend to follow either the “Flood or Fire” model, ¹ however, most insurance companies treat cyber events like property and casualty. Cyber events cannot be modeled like either of these event types. This has led to a situation where the brokers are severely underestimating the amount of cyber insurance needed to adequately insure the firm. Property and casualty underwriters use Gigabytes of historical data in their analysis. When a cyber event happens, it is remediated and no longer an issue for the firm. The heavy influence historical actuarial data has on current cyber insurance underwriting use cases is not fit for the purpose. Coupled with a gross lack of standards associated with the classification of events, this creates low levels of efficacy in cyber industry best practices. ²