While cybersecurity insurance is newer to the loss mitigation scene than, say, home or auto insurance, it's quickly becoming another must-have for major business. This need has been underscored by the highly publicized data breaches of Home Depot and Target. Article after article examining the circumstances surrounding these cyber thefts and their resolutions appeared in headlines for years after the breaches were contained.
As a result, the data breaches experienced by Home Depot and Target have become cautionary tales demonstrating just how far the fallout from fraud can extend. Both insurers and businesses have taken notice. What's interesting about the effect of this focus is that it has allowed insurance companies to successfully increase the bar for cybersecurity standards without having to wait on government regulations to catch up with technology.
Businesses need cybersecurity insurance to keep from joining the ranks of Home Depot and Target, and insurance companies need to make smart decisions about which companies they offer policies to and at what rates in order to remain profitable. CSOonline.com reports that these circumstances have led to two results:
- Many insurance companies are refusing policies to companies that do not meet much higher minimum security standards than previously required — or charging a very high premium for the privilege of gaining coverage.
- Companies are complying with the increased security requirements so that they can obtain insurance.
This means insurance companies are actively influencing the cybersecurity measures businesses take — and for the better. Two typical heightened security requirements for obtaining affordable cybersecurity insurance are end-to-end encryption (or plans to implement within the near future) and annual cybersecurity training for employees. Additional requirements that those in the industry predict are coming down the pipe include anti-phishing awareness programs, strong network segmentation, and network hygiene controls for industrial control systems.
On the flip side of the coin, businesses are demanding that insurance providers offer more coverage. Pre-loss mitigation services, loss of personally identifiable information, and cost of business interruption are now considered merely a starting point for cybersecurity insurance. To remain a competitive option for those companies that comply with the more stringent security requirements, insurance companies will have to offer additional features in their policies.
It's also important to note that because cybersecurity insurance is so new on the scene, it still has a bit of growing up to do. Many professionals in the industry have come to it from other more traditional areas of insurance, such as home and auto, and lack comprehensive training in the tech involved with cybersecurity. Additionally, the data cybersecurity insurance has been able to collect in regards to claims and payouts is still approximately 30 to 50 years away from becoming vast and in depth enough to deliver the necessary insights to be truly useful for risk assessment.
But Rome wasn't built in a day, and any step in the direction of heightened cybersecurity is a step in the right direction. We will be watching the progress of cybersecurity insurance companies with great interest as the industry grows in experience and influence.