Cyber Insurance Needs to Grow Up

You can’t insure, what you don’t understand.

The cybersecurity insurance industry is in a tumultuous period, with skyrocketing deductibles, new limitations, hidden assumptions, and suffering from a slew of lawsuits from customers. The market is hot, with many companies now seeking cyber insurance policies, but some insurers are pulling back because of unexpectedly high payouts leading to losses, while others are blindly diving in to get a piece of the action. The insurance industry has a reputation for being stable and predictable over time but has failed to grasp the ambiguity and unpredictable nature of cyber.

I will outline what it will take for insurance companies to succeed, but first, a story:

I remember, well over a decade ago, speaking to the insurance industry about the need and challenges for the emerging cybersecurity insurance market. I had just published my Return on Security Investment (ROSI) paper and annually recurring cybersecurity predictions. With a refreshed understanding of the difficulties in foretelling the risks and likelihoods of cyber-attacks, I warned the insurance community that their normal actuary methods would not work over time and they would need to approach the growing chaotic uncertainty and radical shifts, driven by the intelligent attackers who take advantage of rapid technology innovation and…