Cyberrisks present new challenges to insurers
All businesses insure against risks like fire, flood and theft. Insuring against cyberrisks though is a relatively new field and it's hard to know how much cover is adequate.
According to a new report from NSS Labs, US retailer Target had $100 million worth of cybersecurity coverage at the time of its breach last year. But with losses estimated at $88 million by May this year and a number of lawsuits still pending it looks like that cover won't be enough.
The report's authors say that a more sophisticated and robust insurance market is needed to provide better risk management for companies. In 2013 the entire US cybersecurity insurance market was around $1.3 billion, however, the Center for Strategic and International Studies says that cybercrime costs businesses worldwide around $400 billion a year.
Insurance companies can have a positive influence on the security policy of the organizations they cover, but in order to do this they need to better understand the risks. NSS says that insurers need to build greater expertise in cyberrisks.
This means having accurate details of the attack methods and exploits used, details of IT assets and their value to the business, the effectiveness of security controls, the likelihood of an organization being targeted, and the maturity of security processes.
All of this information can be used to calculate risk accurately. Over time this threat data can be compared with claim records to give insurers a better understanding of the risks posed by a particular customer and allowing them to set premiums accordingly.
Among the recommendations NSS makes are that insurers should adopt the concepts of network resiliency set in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and that security teams should focus more on attacks that are capable of bypassing their defenses rather than those that are detected and blocked.
If you want to find out more the full report is available on the NSS Labs site.