Companies evaluating cyber insurance sometimes complain that they don't know what they're buying, what it does and doesn't cover, how it compares to competitive offerings, and what it's really worth. A recent Ovum/FICO survey reported that only 1/4 of CxOs and senior security officers thought premiums accurately reflected their organization's risk profiles. Even fewer viewed cyber liability insurance pricing as "clear and transparent."1
We'll discuss a long-term solution -- but before we do, we need to briefly consider the issue from the insurer's perspective.
As new insurance markets emerge, insurers typically face the challenge of quantifying and pricing risk based on limited historical data. With cyber insurance, that's an especially vexing problem, because many attacks have traditionally gone unreported. As Deloitte notes, governments now require reporting when personally identifiable information is exposed. But other attacks may still fly under the radar, representing large cyber risks.2
Even if an cyber liability insurance provider trusts its historical data, threats change rapidly. Previous claims and crimes may not be as predictive as insurers would like. What's more, cyber risk can aggregate. It's one thing to cover a claim for intrusion against one company's data centers. But if a public cloud that serves 1,000 policyholders is compromised, the insurer faces radically higher liability.2
Each cyber insurance provider must make its own judgments about risks like these. Their judgments vary, leading to meaningful differences in cyber liability insurance premiums and policy terms. Sensibly, insurers protect themselves by attempting to narrowly define their exposures, and by focusing on the cyber risks where they have the best information.
Accordingly, many policies address PII exposure, and promise to pay for definable expenses such as customer credit monitoring. But they may offer more limited coverage for other important cyber risks, such as reputational harm or lost intellectual property.3
Consider, especially, the issue of negligence. As Nemertes Research points out, an insurer often reserves the right to refuse a claim if it finds that the loss was caused by policyholder negligence. But insurers and individual policies vary in how they define negligence, and whose negligence can be grounds for denying payment.3 A closely related issue is ransomware. Costly ransomware attacks are often excluded by cyber liability insurance policies, and often arise from an employee's carelessness in clicking a malicious email or web link. In underwriting policies, cyber insurance firms would ideally assess the behaviors of a customer's employees as part of its risk profile, but doing so has been challenging.
Fortunately, for both cyber insurance underwriters and their customers, the answer is the same: greater clarity about cyber risk, and more effective action to reduce the human errors that cause or contribute to most security compromises.
That's where Ataata comes in. We work closely with both insurers and customers to understand security risks created by human error, and mitigate them by changing employee behavior.
Our platform gives organizations actionable, up-to-the-minute data about how well their workforces can resist nearly all contemporary cyberattacks. We help them identify specific areas of risk, quickly focus mitigation, drive changes in behavior, and track the results.
We're also partnering with innovative insurers who want to use our robust intra- and cross-industry datasets to price risk more accurately, and design more attractive, cost-effective policies. We think that's what it'll take to widen the market, and bring cyber insurance to everyone who could benefit.
For centuries, insurance has empowered enterprise by making new forms of risk more manageable. If we can gain greater clarity on human risk and demonstrate better ways to reduce it, cyber insurance can play an equally important role in the digital age. Quantifying and reducing human error is hard, but it's crucial. That's why Ataata took on the job -- and we're proving it can be done.
1 "Cybersecurity Insurance – 3 Reasons Businesses Aren't Buying," FICO;
2 "Demystifying cyber insurance coverage: Clearing obstacles in a problematic but promising growth market," Deloitte Insights;
3 "Should the Enterprise Buy Cybersecurity Insurance?" Nemertes Research;