Organizations today generally accept that at some point in time, a data breach is inevitable, making the need for cyber insurance imperative. However, panelists at a private briefing during the RSA Conference last week explained that a chasm exists between the inherent need for cyber insurance and how experts communicate cyber risks with these organizations. John Pescatore, the panel’s moderator, began by providing an interesting fact: “everyone has access to the same technology. Companies in the same verticals spend about the same money proportionate to their revenue on security but some are more successful than others.” The successful organization, Pescatore explains, is focusing on doing the right things first, compared to trying to do as much as possible, touching only a little on the important steps. Secondly, assessing cyber risk is still in its early stages, creating a barrier to reflecting risks accurately. This problem results in premiums not accurately reflecting the risk at hand but instead, being driven by the market, not risk.
One of the panelists, Ben Beeson, cyber risk practice leader at Lockton, further explained that one breach could have catastrophic results across many sectors. Referred to as aggregation risk, Beeson notes that “the breach of one entity might affect many businesses and insurance companies. For example, a single breach at a large cloud services provider might affect dozens, perhaps hundreds, of insured companies and consequently many insurers.” Another panelist, David Bradford, co-founder and chief strategy officer for Advisen, said progress is being made in assessing risk for cyber but there is still a problem when it comes to communication between insurers, technical people and boards as the three use terminology in very different ways. While “there’s a long way to go to bridge that chasm,” data schemas for cyber insurance are in development which will play a key role in creating cyber policies in the future.