The final part of Sean Martin’s three part series on cyber insurance dives into determining coverage through analyzing risk in an industry lacking solid actuarial data. To combat this problem, technology and insurance companies are joining forces to use risk scoring tools and predictive analytics. Ben Beeson, the cyber risk practice leader at Lockton explains, “As the investment in technology grows insurers will begin to offer incentives to adopt certain risk management tools strategies through premium credits or broader coverage. Today is still very much the stick rather than the carrot. If a retailer has no end-to-end encryption on a point-of-sale system, then they probably won’t get insurance.” If an insurer sees that an organization is taking the precautionary steps to protect its data, reduction in premium pricing may also come into play. Additionally, it is crucial that organizations pay close attention to the specifics and limitations in their coverage as what is covered in one policy may not be mentioned in another. Other types of information are uninsurable altogether. For example, Intellectual property can be devastating if lost, but is nearly impossible to quantify monetarily, according to Beeson.
The goal for the cyber insurance industry is to help organizations make informed decisions. Decisions such as the type and amount of cyber insurance needed, the practices necessary to avoid making that claim and how to handle things once a claim is made. However, the industry itself must first have the insight and knowledge to appropriately price and underwrite these policies. Experts agree that a “static approach” doesn’t work. “This is still a market whose prices are driven by supply and demand — not a price that actually reflects risk,” Beeson said, “As part of the convergence between technology and insurance, think of a telematics black box in a car used to get better premiums. We will start to see dynamic analysis as a means to drive incentives for lowering premiums and risk.” This combined with better cybersecurity practices on the front end will ultimately lead to better policy pricing and more actuarial data to asses cyber risk.