04 July 2012

Cyber Risk Insurance

ENISA has released a report on its recent study of the cyber insurance market.

Partial view from a page on ENISA's report 'Incentives and Barriers to the Cyber Insurance Market in Europe'

The report Incentives and Barriers to the Cyber Insurance Market in Europe attempts to define cyber insurance, why cyber insurance could be an attractive measure for transferring financial risk, and describes current market offerings.

The report goes on to discuss barriers to the development of an effective cyber insurance market including:

  • Uncertainty about the extent of risk and lack of robust actuarial data
  • Uncertainty about what risk is being insured
  • Ongoing technological evolution
  • Lack of visibility on what constitutes effective protection measures
  • The absence of an insurer of last resort to re-insure catastrophic risks
  • Perception that existing insurance already covers cyber risks

The report provides recommendations to address the issues. At first glance you might consider the report is primarily of use to those within the insurance industry but I think it should have a much wider audience since it addresses many of the issues industry has in quantifying risks and justifying spending on security. Of course if your organisation is considering buying cyber insurance, or even believes it already has such insurance (possibly in error), the report will provide useful matter for consideration.

See also my recent post about Systematic Study of the Costs of Cybercrime and a 2009 post on E-Commerce and Insurance - The Definitive Guide.

Posted on: 04 July 2012 at 21:11 hrs

Comments Comments (1) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

This is how this will go...

1) First, IT security is a conflict, i.e. "war" - and insurance companies don't like insuring entities involved in a war...

2) So companies will buy "hacking insurance" - and ignore their real security requirements...and continue to be pwned...as they try to shift the risk expense from themselves to the insurance industry...

3) Good luck with that...The insurance industry has seen this before...

4) So as the insurance payout losses add up, the insurance companies will respond as usual...

a) Raise premiums to the point probably equal to what it would have cost the company to do the "right" security thing anyway... OR

b) Require companies to PROVE their security posture before issuing a policy - which means yet another guy with a checklist coming in and "auditing"...with the same poor results as every other compliance regime.

5) So companies will end up paying 1) for security remediation work they should have done in the first place, PLUS b) premiums that cost as much as the security remediation!

They aren't going to win that game...
1 Added by Richard Steven Hack Posted on 09 July 2012 at 09:36 hrs
Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Cyber Risk Insurance
http://www.clerkendweller.com/2012/7/4/Cyber-Risk-Insurance
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2012/7/4/Cyber-Risk-Insurance
Requested by 107.21.156.140 on Wednesday, 19 June 2013 at 08:20 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2012-2013 clerkendweller.com