Despite cyber insurance growing in popularity in recent years, it’s still failing to have the desired impact as insurers struggle to understand the risks involved.
This is according to a new report from defense and security think tank RUSI, which also states that collecting reliable data to inform underwriting has been difficult for insurers.
Basing its findings on interviews and workshops with experts across the insurance and cybersecurity industries, government, and academia, RUSI says that insurers and reinsurers can’t properly assess risk without adequate data. This means they are unable to price policy premiums.
Furthermore, the market hasn’t started using financial incentives and security obligations yet, in order to improve policyholders’ cybersecurity practices. As a result, RUSI claims, cyber insurance exists more in the domain of “theory”, than “practice”.
According to RUSI, some cyber insurers are “beginning to move in the right direction”. But others have been criticized for recommending ransomware victims pay the ransom, thus “incentivizing cybercriminals”. Some insurers have even left the market due to losses from ransomware.
Cyber insurers should motivate organizations to up their security game, the report concludes, adding that the goal of improving cybersecurity practices is “more limited than policymakers and businesses might hope”.
In order to address these challenges, insurers should collectively agree on a set of minimum security requirements as part of risk assessments for SMEs, as well as explore partnerships with managed security service providers, cloud service providers and threat intelligence providers.