Creating a Cyber Insurance Policy

Andrew Barratt, Managing Director, Europe

According to research from PartnerRe and Advisen, the global cyber-insurance market is currently worth $2 billion a year, a number which is expected to double by 2020.With 60% of underwriters and brokers seeing a significant demand in cyber-insurance from customers, there is clearly  a great business opportunity for the insurance sector to offer cyber-insurance policies. However, unlike the standard model of developing a policy, cyber-insurance has a number of areas that policy providers need to first consider in order to see success.
The process for creating an insurance policy usually involves historical models that help predict risk and the potential pay out on a policy. However, for cyber-insurance things are not as easy. With little historical data of use for modelling, threats that are constantly evolving and assets that can be created in many different ways, it is hard to evaluate the costs of an attack. Without knowledge and understanding of the security systems and processes that a business has in place to prevent an attack it can be equally difficult to know the size of the risk.
For example, most businesses have a large variety of types of data and information at risk from an attack. In fact, some businesses have safety critical systems that are at risk. To accurately gauge this risk, insurers need to know what might be attacked, what a motivated attacker might do and which assets could be affected.  Accessing a business, its critical systems and data is not straight forward either.  For instance, IT infrastructure including industrial control systems can be heavily customised for specific tasks, this makes the job of assessing risk very specialised.
Cyber insurance can therefore be thought of as comparable to really bad car insurance for a customised car.  In particular, one where the custom car has been machined by hand to the drivers own unique specifications. Then while it is being insured nobody asks how fast the car could go, where it was parked, how old the driver is, if the driver was qualified to drive it and how all the components were assembled.
And so it goes for cyber insurance. Often technologies such as firewalls which can be hugely complex devices are assumed to be doing things that they may not actually do.  So if an insurance buyer is asked ‘Do you have a firewall’ they can honestly answer ‘yes’. However, this is like saying ‘do you have a door on your car?’  Not – ‘do you leave the door open? Is the car kept in a locked garage or out on the street? What kind of locks and alarms does the car have?  Context is extremely important.  No specifics can or should be assumed. Firewalls are enabling as well as blocking devices.
Developing insurance policies for cybercrime clearly requires expertise in insurance, cyber-security, risk management and regulations. Understanding all these areas is crucial in developing policies that pay out the right amount at the right time. Failure to do so can not only lead to the creation of policies that do not provide the level of cover actually required, but also risks leaving a company with a policy that may not give it the expected level of cover in the event of a claim.
This problem is equally true for insurance brokers who need to understand and know what they are selling.  With such a wide variety of products now on offer it can be difficult to find the right policy to fit the right company. Brokers will have a number of products available and possibly competing commercial incentives so it is very important that what the products cover is easily understood. If insurance is being tailored specifically to assured needs, a good relationship between the broker and the assured as well as the broker and the underwriter is paramount.  If a broker has a close relationship with the Risk Officer and understands the types of risks they are most concerned about then they can align that with the underwriter that best meets the cover and can build insurance pillars to suit their needs.  This allows for risk to be spread across different cover types but the same events can still be covered allowing for efficient risk management.
If insurers and brokers can provide customers with both the right policies and advice, then the potential for growth is huge. With more than $2 billion at stake insurers need to look at working with experts in cyber insurance, risk and regulations to develop policies that actually fit customers’ needs.  Having expert advice on hand not only speeds up the creation of a policy, but also helps ensure it actually covers what it needs to. Expert help is out there. Don’t let a lack of knowledge in cyber security hold you back from this growing market.   
If you are interested in hearing more from cyber security experts on cyber insurance, please visit the Coalfire website:
Andrew Barratt


Andrew Barratt — Managing Director, Europe

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS