If you have ever tried to obtain property insurance, you know you have a “project” cut out for you. Figuring out what each insurer’s policies cover — and don’t cover — is a chore. When you finally get to the point where you can compare premiums, many of you just want the pain to end quickly and probably pick a carrier more out of expediency than economy.
Now multiple this by two factors: first, you want to get business insurance, and then you want to get business cyber insurance. If you are a big company, you probably have specialists that can handle these tasks — maybe. The problem is that insurance specialists don’t necessarily understand the inherent cyber risks, and IT folks don’t know how to talk to the insurance pros. And to make matters more complex, the risks are evolving quickly as criminals get better at plying their trade.
My first job was working after college in a key punch department of a large insurance company in NYC. We filled out forms for the keypunch operators to cut the cards that were used to program our mainframe computers. It was strictly a clerical position, and it motivated me to go back and get a graduate degree. I had no idea what the larger context of the company was, or anything really about insurance. I was just writing numbers on a pad of paper.
Years later, I worked in the nascent IT department of another large insurance company in downtown LA. This was back in the mid 1980s. We didn’t know from cyber insurance back then: indeed, we didn’t even have many PCs in the building. At least not when I started: my job was to join an end-user support department that was bringing in PCs by the truckload.
So those days are thankfully behind me, and behind most of us too. Cyber insurance is becoming a bigger market, mainly because companies want to protect themselves against any financial losses that stem from hacking or data leaks. So far, this kind of insurance has been met with mixed success. Here is one recent story about a Virginia bank that was hit with two different attacks. They had cyber insurance, and filed a claim, and ended up in a court battle with their insurer who (surprise!) didn’t want to pay out, claiming some fine print on the policy.
Sadly, that is where things stand for the present day. Cyber insurance is still a very immature market, and there are many insurers who frankly shouldn’t be writing policies because they don’t know what they are doing, what the potential risks are, and how to evaluate their customers. If you live in a neighborhood with a high rate of car thefts, your auto premiums are going to be higher than a safer neighborhood. But there is no single metric — or even a set of metrics — that can be used to evaluate the cyber risk context.
I talk about these and other issues with two cyber insurance gurus on David Senf’s 40 min. podcast Threat Actions This Week here. I am part of a panel with Greg Markell of Ridge Canada and Visesh Gosrani of Guidewire. If you are struggling with these issues, you might want to give it a listen.