Minerva Studio - Fotolia
Kathleen Richards, features editor
Cyber risk and liability insurance generates lots of questions but evidence of a growing market remains hard to find. Of the 1,000 commercial property and casualty insurers, about 30 offer "good" cyberinsurance, according to Mark Geisiger, president of NetDiligence, whom I interviewed for an article this month.
Adoption numbers also remain steady, with many studies indicating that roughly one-third of the risk managers surveyed said their organizations have cyberinsurance policies. Far higher percentages of companies express interest in cyber risk and liability insurance products, especially after security incidents. Security officers have limited involvement in insurance decisions.
"We haven't seen a whole lot of change from an adoption standpoint," said John Wheeler, research director for security and risk management at Gartner, "or any maturity in the products that insurers are developing."
That's largely because the data breach loss information is very hard to obtain, according to Wheeler, and the insurers have limited actuarial data to support underwriting decisions. The security and risk information on the organization's insurance application is often used to develop customized policies. Companies that are exploring cyberinsurance should look at products from insurers with at least three years of experience in the category, such as Ace, AIG, Chartis and Beasley, among others, according to Gartner research.
"There is great interest in these products -- we get lots of client calls," said Wheeler. "But we always caution folks to make sure that they really look at the application that they are filling out and the information requested, because that is essentially what these underwriters are using to write the policies..." If the information provided in the pre-insurance survey is not a defensible set of controls -- accurate representation of the company's network monitoring, access control, physical security, governance and policies and security practices -- some organizations may inadvertently void or limit their policy coverage and not realize their mistakes until the information is questioned during the claims process. Subpar language describing cyber risk in a cheaper policy should also be avoided, according to Gartner.
With everything that's at stake, it's hard to believe that security officers have limited-to-no involvement in cyberinsurance decisions about adequacy of coverage. While many technicians may prefer life in the data center, cyber risk and liability require the expertise of security officers before companies help quantify their own risk and sign off on expensive cyberinsurance policies.
About the author
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
Send comments on this column to firstname.lastname@example.org.