A while back now (2011) I had the time to research the health of the cyber insurance market which had not taken a mainstream approach due to market inexperience. Since then, the myriad of cyber hacks have exponentially grown. Governments are now creating cyber insurance policies, the UK Government has created a guide on cyber insurance products and a Cyber-Essentials program whilst more and more IT staff are encouraging companies to change IT Security policies to incorporate a cyber insurance product. By the time research was completed (2013) the insurance market was still augmenting the landscape of modern cyber insurance.
At that time of research, information asymmetry between customers and providers was the reason for overpricing cyber insurance products, however to help the lack-lustre of insurance, insurance firms used contracted deductibles of vendor-sla's with a contract-pricing approach that moved the balance back to information asymmetry so appearing to provide value-add-services to reduce the overall contract cost.
Whilst a risk based approach was the saving grace of yester year where having the risk acknowledged in a register was sufficient, the cyber insurance approach will transform dramatically the assurance model of business processes. Whilst the vulnerabilities continue to have a risk weighting that would now tie into a cyber-insurance value. With ‘cyber‘ transforming entire global landscapes, the cyber insurance industry is sure to provide innovative solutions and a keen area to watch on how new technologies will need new insurance models.
[Figure : Tridib Bandyopadhyay, Vijay S. Mookerjee, Ram C. Rao , Communications of the ACM, Vol. 52 No. 11, Pages 68-73, 10.1145/1592761.1592780 ]