Why mandates work for traditional insurance categories, but not for cyber-insurance

Cyber insurance was the brainchild of Steve Haase, an insurance broker for Hamiliton Dorsey Alston Co. When first introduced in 1997, the coverage was called Internet Security Liability (ISL). Early policies were designed to mitigate the risks faced by e-commerce vendors and were underwritten by AIG. While cyber insurance can trace its roots back a quarter of a century, it is, in many ways, still in its infancy.

Cyber-insurance policies, unlike health, life, auto, and most traditional lines of insurance, are not governed by regulators or legislation. There are no requirements on what must be covered, what can be excluded, or what rates can be charged. Without governance, insurance companies are working on their own to standardize coverage, normalize policy terms, and manage their exposure. This is achieved, in large measure, by requiring cybersecurity controls and practices for companies carrying cyber-insurance.

Risk profiles for traditional lines of insurance such as health, auto, or property and casualty insurance, are relatively static. Furthermore, insurance companies have large collections of actuarial data and are able to reliably predict risk based on fairly static conditions.

Cyber threats, on the other hand, are constantly changing. Bad actors are continually developing new tactics, techniques, and exploits. At the same time, companies’ computing infrastructure is continuously evolving, and each change brings the potential for new risks. To ensure security in this ever-changing environment, continuous monitoring of internal networks is required. Continuous monitoring provides insurance companies with actuarial data and ensures mandates are followed.

 

continue reading »