As the frequency and complexity of cybersecurity incidents increases, the fledgling cybersecurity insurance industry continues to evolve and adapt. The problem? Cybersecurity incidents are like nothing else that the insurance industry has yet addressed. From Wired.com:
Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years’ worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk.
“Typically in insurance we use the past as prediction for the future, and in cyber that’s very difficult to do because no two incidents are alike,” said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors.
One major issue that springs to mind is the constantly shifting nature of technology. In any given span of a few years, technology standards can shift wildly to account for changes in software and hardware – and when these things shift, vulnerabilities and how they are exploited can also quickly transform.
It’s not like a home or a car, in which the exact nature of how the home or car is constructed might change but the circumstances of a fire or theft will not. The circumstances surrounding a cybersecurity incident can be completely different from one year to the next. This uncertain landscape makes it difficult track and analyze the data needed to efficiently calculate premiums.
What do you think?