There are two sides to every coin. For cybersecurity, those two sides are protection and response, and they are both equally necessary for an effective cybersecurity program. However, there are also inevitable realities beyond an organization’s control. Cybersecurity experts claim that no organization can be fully protected from a breach – that’s where cyber insurance comes in. Not only can cyber insurance lead to better cybersecurity practices, it can also help cover many of the costs following a breach. Ben Beeson, cyber risk practice leader at Lockton Companies, said that most CISOs understand the role cyber insurance can play in cybersecurity practices – partly because cyber insurance can act as a cover for CISOs themselves. However, while the cyber insurance market is growing and expected to boom in the next five years, not all companies are taking advantage of the opportunity to hedge these cyber risks. In fact, while nearly 100 insurance companies offer cyber insurance in at least one form, 80-90 percent of the business is concentrated in 10 companies. Further, only two percent of companies in the U.S. have cyber insurance, according to a recent article by Sean Martin of SearchSecurity.
This raises the question, what can be done to make cyber insurance more widespread? Currently, the market faces the problem with quantifying risk – it’s not linear, says Julian Waits, president & CEO at PivotPointRisk Analytics. “Actuarial information is immature, and therefore insurance companies are grappling with ‘how do we risk this risk’ and… what and how much do they need to buy, and what they’re actually getting in return.” If companies do not feel like they are getting much in return, they will chose to spend their money elsewhere. But, as cyber insurance begins to progress, more policies will cover more organization, filling the cybersecurity protection gap.