The recent growth in the cyber insurance market is already improving cybersecurity in some industry segments, and has the potential to do more -- if the industry is able to address its data problem.
One area where cyber insurance has already made an impact is in the retail space, said David White, founder and COO at Axio Global, a cyber risk company.
After the 2013 Target breach, it became very difficult for retailers to get a decent price for cyber insurance unless they had completely switched over to end-to-end encryption, or had a definite plan in place for doing that.
"I spoke to a large retailer at a conference a year ago who was wringing their hands because they could not buy cyber insurance -- the sort that would cover a payment card data breach," he said. "Their problem was that they had not allocated the funding to install end-to-end encryption and were not even planning to in the foreseeable future. The risk manager told me that they had approached the insurance market annually for several years and all she could get were 'FU quotes.' The cyber insurance industry has been a substantial force in driving retailers to adopt end-to-end encryption."
Next, White said, he expects insurance companies to start insisting on anti-phishing awareness programs, strong network segmentation, and network hygiene controls for industrial control systems.
"A decent analog is the presence of sprinkler systems and other fire suppression systems as a consideration for property insurance," he said. "Organizations don’t stop buying fire insurance because they install a sprinkler system, but they do get more attractive rates."
Insurance companies are helping set some general standards cybersecurity, said Mark Sangster, vice president and industry security strategist at eSentire.
And it's not just for the point at which the policy is written, he added. Insurers are adding language to contracts that require companies to maintain a particular level of security.
"For example, you must do annual cybersecurity training, and if you do those things, you can have the policy and it will cost you this amount," he said. "That's like them saying, if you're caught doing reckless driving, your auto insurance is null and void. I think they are one of the top influences at the moment when it comes to what cybersecurity policies and procedures need to be looked at."
Insurance companies are asking for minimum controls, agreed Jenny Soubra, head of the U.S. cyber practice at Allianz Global Corporate & Specialty. But they're also starting to go beyond that, with more services, she said.
"Pre-loss mitigation services offered by carriers have just become table stakes," she said. "Everyone wants their clients' risks to be improved."
And that translates to better security, she said, as companies become more aware of their vulnerabilities and take steps to close the gaps, train their employees, and reduce response times.
But there's a limit to how much insurance companies can actually do when it comes to measuring risk, she said.
According to Soubra, the insurance industry is still 30 to 50 years away from having a standardized cybersecurity data set, with relevant actuarial data, that it can pull insights from.
"The threat vectors are constantly evolving," she said. "There are new ways to get into the system, new types of ransomware are constantly being created. This, in turn, has the coverage that we're offering constantly evolving. So we're collecting new types of data that we weren't collecting in the past."
It doesn't help that it's difficult for insurance companies to share data, she said.
Jenny Soubra, head of the U.S.
