While cyber-insurance could significantly help companies reduce their risk and direct businesses to develop better security practices, the insurance industry still lacks the maturity and the ability to determine clients' risk, according to an analysis conducted by security-information firm NSS Labs.
In the wake of the Target breach, the cyber-insurance industry has done a great deal of soul searching. While Target reportedly had $100 million in insurance with a $10 million deductible, the company had to combine several policies—in what the insurance industry calls a "tower"—to reach that limit. Following the breach, insurance companies have become more hesitant to take part in any such aggregation to offset the risk of cyber-attacks, according to industry experts.
Until carriers can find better ways to continuously measure and assess risk, however, the cyber-insurance market will develop slowly, Andrew Braunberg, researcher director at NSSLabs, told eWEEK.
"Insurance carriers do well in those industries where they have enough data to efficiently determine risk, such as home, fire and car," he said. "In cyber, however, there is an asymmetry between what they know about an organization's security and the company's risk profile; they are at a disadvantage there."
Insurance companies typically have to determine the degree to which potential clients are targeted by attackers and the maturity of the client's security processes. Yet insurance carriers also need more detailed information than they currently can collect, according to NSS Labs. The carriers need to determine the attack landscape, such as what vulnerabilities and exploits are being used, the effectiveness of security controls and the value of a business' information assets.
"This is a fundamental problem for insurance carriers because their competitive advantage is derived from the ability to create risk-adjusted premiums," the NSS Labs' report stated. "A lack of good data currently is both a tactical and a strategic limitation."
Adding to the uncertainty, security experts currently maintain that there is no perfect defense: A persistent attacker will eventually find a way past any security measures deployed by a targeted company.
NSS Labs highlighted the difficulties in research last year that showed that defensive layering does not always work because many defensive technologies use the same techniques to catch exploits. An attack that gets through one set of defenses is more likely to be able to get through another, the company found.
Attackers reportedly breached Target's network though the systems of a heating, air conditioning and ventilation (HVAC) service provider—a scenario that would have been hard to have initially predicted. Facing approximately 90 shareholder lawsuits and already racking up more than $80 million in costs, Target will likely see the damages from the attack exceed its policy, Braunberg said.
"There is just no way that $100 million is going to cover all the cost of that breach," he said.