Is cyber insurance becoming an ‘unviable product’?
The Federation of European Risk Management Associations (Ferma) has voiced concerns that the cyber insurance market is evolving in isolation from the industries it serves. The body has warned that cyber insurance could become an “unviable product” for companies, as buying such policies has become harder due to exemption clauses introduced recently by Lloyd’s of London.
Changes are afoot and certainly an evolution is occurring.
I worked for a SMB at one time and even in those days, they chose to be self-insured. I then move to a Global organisation who also chose not to purchase cyber insurance.
Recently there have been many articles around cyber insurance, the cost and ultimately the fact that most if not all of the insurers are refusing to pay. This is due to language in policies and sometimes a misunderstanding.
I did hear one bright thought on the (ISC)2 quarterly update that they are attempting to work with Insurance companies on language, etc. I hope that they follow through on this and develop a checklist (probably not the right word) for both insurers and insurees to use when evaluating policies.
However, we all know from experience that insurance companies do not necessarily like to pay (ever have an auto accident or home insurance claim) and if they do, your premiums will increase in subsequent years.
@dcontesti within the federal and DIB space, there's lots of defense frameworks. Large companies that learn to use ISO and NIST frameworks have a distinct advantage. But SMBs really are at the mercy of whoever walks up and says, "I can computer!", as to whether a security position will be established while their IT is assembled.
Fire departments are rated by insurance companies, and homeowner insurance rates are set by the fire departments' ISO rating. Insurance companies are well positioned to help SMBs determine how companies can architect risk management, but only with good practices and guidance. Maybe NIST can offer the practices, and ISC2 can provide guidance.