It’s the beginning of October and we begin a new month of “awareness’s” here in the U.S. It’s a big awareness month too, rivaled only by May and September by some listings. It’s National Breast Cancer Awareness Month (pink shoelaces and wristbands on NFL players is an easy reminder) and it’s National Liver Cancer Awareness Month. Serious causes without a doubt. In fact, most of the awareness movements are health related such as Eczema Awareness Month (October), Digestive Tract Paralysis Month (August), Borderline Personality Disorder Awareness Month (May), STD Awareness Month (April), and Dysautonomia Awareness Month (October), which I had to look up. Now I’m more aware.
A few on the list for this month are not health related, but also of great importance: National Fire Prevention Month, National Bullying Prevention Month, Polish American Heritage Month, and the more shadowy, Cyber Security Awareness Month. Life insurance has an awareness month. It’s in September. However, cyber insurance does not yet and we may be waiting quite some time before it does.
>Cybersecurity has risen to become one of the defining issues of today. Rehashing some example cyber incidents that explain why is not necessary. Suffice it to say that this issue is a daily hot topic among popular media, industry watchdogs, business leaders, and governments, others not excluded. Despite this, awareness and the decision to purchase cyber insurance among businesses is lagging and not because it doesn’t have its month yet. At present the product itself is unrefined and complicated by the gaps in fully grasping cyber risks and how to properly underwrite them. However, businesses, particularly small businesses which can be devastated by the hefty costs associated with a cyber incident, can benefit from the coverage cyber insurance policies can provide. The Department of Homeland Security, a rightful spearhead on cybersecurity, has even weighed in on the benefits of cyber insurance as part of overall cyber security planning.
During our recent research on insurance, our questions about the growth and development of cyber insurance received at best a lukewarm response from the consultants we spoke with, understandably. Premiums can range anywhere from $7,000 to $35,000 with various caps and limits on coverage. Even the name, cyber security insurance by some, cyber liability insurance by others, speaks to the different views insurance companies have on what risks to exactly cover and what coverage they are selling. Insurance companies aren’t clear on this product yet because they, along with many businesses that fall victim to cyber incidents, lack the skills and expertise to fine tune cyber insurance.
The lack of cybersecurity talent is a well-known issue and insurance companies aren’t alone. The February 2013 roadmap that accompanies the NIST Improving Critical Infrastructure Cybersecurity framework states that a “skilled cybersecurity workforce is needed to meet the unique cybersecurity needs of critical infrastructure”, and that “[t]here is a well-documented shortage of general cybersecurity experts”.
Where does this leave cyber insurance? Its awareness will be raised by the same groups, good guys or bad, that have raised awareness of cybersecurity itself of course. By some statistics a lucrative market for this coverage is waiting and is expected to take off and should, particularly as governments and regulators get even more involved. As the product matures and evolves with insurers seeking necessary skill sets through partnerships and acquisitions, particularly with cyber experts and financial technology firms, and as claims filings and ubiquitous claim litigation cases build, insurance companies will learn more. They will continue to add more supporting services around the product. Auto insurers have done this by providing us with tips and advice on operating motor vehicles to make us safer drivers. Health providers push healthy living facts and advice our way to encourage us to live better lives. In much the same way, insurance companies can build out their cyber product offering to demonstrate that they are part of an overall solution to the challenges and threats in cybersecurity, furthering awareness of cyber insurance and cybersecurity itself – and thereby protecting their own margins in the bargain.