Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Finance > CYBER RISK INSURANCE – BRIDGING THE GAP BETWEEN INSURANCE PROVIDERS AND COMPANIES INSURED

CYBER RISK INSURANCE – BRIDGING THE GAP BETWEEN INSURANCE PROVIDERS AND COMPANIES INSURED

Published by Gbaf News

Posted on August 14, 2014

6 min read

Last updated: January 22, 2026

CYBER RISK INSURANCE – BRIDGING THE GAP BETWEEN INSURANCE PROVIDERS AND COMPANIES INSURED - Finance news and analysis from Global Banking & Finance Review

Author: Craig Carpenter, Chief Marketing Officer, AccessData

The hottest topic in the insurance world today is “cyber risk insurance”, or coverage for the response to and fallout from cyber crime and breaches. As Reuters recently highlighted, the cyber insurance market is set to double in 2014 over 2013 – heady times indeed for a traditionally slow-growth industry in search of new markets. The need for cyber insurance has never been more acute, with numerous, massive incidents at companies like Target (whose CEO subsequently lost his job) and eBay, and government agencies like the Office of Personnel Management. But while these high–profile breaches have led to skyrocketing interest in cyber insurance, they have also highlighted a glaring weakness in insurance companies’ ability to price – and therefore offer – such coverage: the lack of incident resolution expertise, technology and processes amongst clients requesting coverage.

2014 has already been a banner year for hacking activity leading to major cyber breaches, from the aforementioned eBay and Target breaches – a trend which hit fellow retailers Neiman Marcus and Michaels Stores – to the alleged Chinese hack into the US government’s Office of Personnel Management’s systems. According to IDG, the first half of 2014 saw a 21% increase in data breaches over the same period in 2013. At this pace, 2014 will easily eclipse 2010 as the worst year on record for data breaches.

Craig Carpenter

Craig Carpenter

All of this successful hacker activity has led to an explosion in interest in cyber insurance, helped along by widespread coverage of Target’s ability to cash in on the $100 million of “tower” cyber insurance coverage it carried into the massive breach of its point-of-sale systems – to the tune of $44 million in reimbursements through Q1 2014 alone. Inevitably, this led to two simultaneous and opposite reactions: among potential insured entities, the interest level in cyber insurance exploded as more companies sought to mitigate their own growing exposure to cyber breaches, while amongst insurers the Target example led to the sobering realization that they cannot effectively price cyber risk.

The cyber insurance market is being held back by a lack of maturity in two critical areas. First, insurers have an alarming inability to model client risk. Cyber insurance is so new there is almost no empirical data for insurers to use – and empirical data is the currency of insurance. Without this knowledge, it is virtually impossible for a policy to be priced accurately. This is akin to writing an auto policy without knowing if the driver is a 45-year-old professional non-drinker or a 21-year-old college student. As it has always done with new policy types, the insurance industry will eventually build up enough empirical data to make risk modeling reliable. Getting there, however, will involve threading the needle between covering too much risk (thus losing money on overly aggressive policies) and eschewing manageable risk (thus allowing competitors to profit from one’s own timidness).

Second, insurers aren’t yet requiring clients to become prepared to deal with major breaches. As the Target board has come to realize, even a company with virtually limitless resources can be unprepared for a breach. For the insurer, this would be like writing a fire policy without requiring the client to have a sprinkler system. Why would insurance companies do such a thing? Because they approach the problem very much like their clients: that a breach is something to be prevented, not to be expected, detected and remediated quickly.

How can potential insureds and the insurance companies desperate to cover them with lucrative yet sensible policies find common ground? Three simple steps will go a long way towards achieving that end:

Realizing breaches are inevitable, focus more on quick detection, response and remediation than prevention. The idea that a network – any network – is impenetrable simply no longer reflects reality. Prevention is obviously important, but what really minimizes exposure is speed of resolution with any incident. If Target taught us nothing else, it was that even a cybersecurity team of more than 300 that has spent “several hundred million” dollars on the latest protective gear can fail. Where the Target breach went from minor incident to major hack was in ineffective incident response: it took Target weeks to shut down the breach, during which time tens of millions of user accounts were compromised.
Require a full-fledged incident resolution team and process. Arguably the biggest weakness for most companies is their lack of knowledgeable talent in-house that can handle a breach’s aftermath. Without the right people in place working with a sound process vetted in advance, breaches will inevitably get worse. No insurer would write a commercial building policy without a building security team and response plan, so why treat cyber security any differently?
Work with clients to develop best practices, starting with “Mean Time to Response (MTR).” The development of sustainable health, fire, auto and life programs illustrates a tried-and-true path forward, namely working with clients to develop metrics to indicate particularly risky (or healthy or safe) behavior. By far the best way to minimize any breach is to detect and remediate it as quickly as possible. While MTR is a new metric, it has already gained momentum as a quick way of gauging a company’s cybersecurity maturity.

Cyber insurance is ready to explode in the coming quarters and years as clients and insurance companies alike are clamoring for coverage. But the only way to unlock the market’s potential is for both sides to collaborate on the development of best practices, especially in the area of rapid detection and response. Without “virtual sprinkler systems” as standard features of any cybersecurity program, cyber breaches cannot be expected to be contained before major damage is done – an outcome no one wants to see.

About the Author

Craig Carpenter is the Chief Marketing Officer at AccessData. Prior to joining AccessData Craig was VP of Marketing and Business Development at Recommind where he pioneered and popularized predictive coding and predictive information governance into the hottest trends in the e-discovery and GRC markets, respectively. Before joining Recommind Craig led the global field and channel marketing teams at network security leaders Mirapoint and Fortinet (NASDAQ: FTNT. He has also taught graduate-level courses at the University of San Francisco in digital rights management and high-tech marketing. Craig believes the key to success is always maintaining a high-integrity, customer-centric focus.