Cyber-insurance is a specialty lines insurance product intended to protect businesses, and individuals providing services for such businesses, from Internet-based risks, and more generally from risks relating to information technology infrastructure, information privacy, information governance liability, and activities related thereto. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.
Because the cyber-insurance market in many countries is relatively small compared to other insurance products, its overall impact on emerging cyber threats is difficult to quantify. As the impact to people and businesses from cyber threats is also relatively broad when compared to the scope of protection provided by insurance products, insurance companies continue to develop their services.
As insurers payout on cyber-losses, and as cyber threats develop and change, insurance products are increasingly being purchased alongside existing IT security services. Indeed, the underwriting criteria for insurers to offer cyber-insurance products are also early in development, and underwriters are actively partnering with IT security companies to develop their products.
As well as directly improving security, cyber-insurance is enormously beneficial in the event of a large-scale security breach. Insurance provides a smooth funding mechanism for recovery from major losses, helping businesses to return to normal and reducing the need for government assistance.
Finally, insurance allows cyber-security risks to be distributed fairly, with the cost of premiums commensurate with the size of expected loss from such risks. This avoids potentially dangerous concentrations of risk while also preventing free-riding.
Information Technology is an inherent facet of virtually all modern businesses, the requirement for a separate product only exists because of a deliberate scoping exercise which has excluded theft and damage associated with modern technologies from the existing product lines.
Bruce Schneier has postulated that existing insurance practices tend to follow either the “Flood or Fire” model however Cyber events don’t appear to be modeled by either of these event types, this has led to the situation where the scope of Cyber Insurance is further restricted to decrease the risk to the underwriters. Compounding this is a paucity of data relating to actual damage correlated with the type of event, a lack of standards associated with the classification of events, and a lack of evidence associated with the efficacy of “Industry best practices”.
Insurance relies upon sound actuarial data against a largely static background of risk. Given that these don’t exist at present it is unlikely that either the buyers of these products will achieve the value outcomes that they desire. This view of the market is reflected in the current market state where standard exclusions result in a situation where “An insurer could argue they apply to almost any data breach”.