Demand for Cyber-Insurance Rises, but Insurers Worry
"The market needs objective assessments and objective understandings of the risk," Ira Scharf, general manager of worldwide cyber-insurance for BitSight, told eWEEK. "Most of the current assessments are being done by surveys and manual processes." Other technology startups seek to demonstrate to firms and insurers where a breach could do the greatest damage. PivotPoint, for example, looks at a company's business—the assets on which it relies and its security posture—and runs hundreds of thousands of automated simulations to determine the dollar value that is at risk from a breach. "The insurance industry loves to say there is not enough data," said CEO Waits. "I don't think that is true." Part of the problem, however, is that most insurance models treat attacks like random events. Many insurance firms look at breach insurance in the same way as accounting for the risk of a hurricane. Instead, they need to account for the adversary behind the attack. Even the most secure business can be breached. While better preparation will generally minimize the impact of a random disaster, if a company is targeted, it may not matter how well they are prepared.The insurance market is still in its infancy, and it will take years for the industry to get a good handle on the problems of dealing with an intelligent attacker, he said. "We are still years behind the bad guys," Waits said. The Internet was never designed to be secure; it was designed to be a free and open platform." Until companies are able to manage their risk better and insurance firms can more accurately gauge risk, businesses will have to account for uncertainty and the insurance market will have to continue pricing such uncertainty into its premiums.
"If you are going to model cyber-risk on anything, you have to model it based on major cyber-events that have happened in the world," Waits said. "This is a social science. It is not about hurricanes—it is about what people do when they do bad things."