Cyber Insurance Recent Advances, Good Practices & Challenges-ENISA
Article Synopsis :
Cyber insurance was created to address risks not reasonably mitigated by security measures. In comparison with other insurance sectors, cyber insurance appears to have a lower adoption rate, while growth projections remain high. Globally, annual sales of cyber coverage will reach $7.5 billion by 2020, three-times the 2015 figure, with further expectation to reach $20 billion by 2025. Specifically for Europe, the market for cyber insurance will be boosted with the adoption of GDPR and NIS directives.
The EU Agency for Network and Information Security (ENISA), recognizing the growing need of insurance companies and customers alike for cyber insurance, gives us “Cyber Insurance Recent Advances, Good Practices and Challenges”, a comprehensive report focusing on key developments and challenges with respect to cyber, including an insurer’s pre-policy risk assessment. The report is split in two parts. The first raises awareness by identifying the most significant cyber insurance developments of the last four years; the second issues recommendations for policy makers, insurers, and cyber insurance customers.
Part I: Significant cyber insurance developments from 2012-2016:
- Increased awareness results in better preparation. Per a survey only 21% of organizations have a clear understanding of cyber insurance, placing the rest in a disadvantaged position. This awareness gap is drawing keen interest in cyber insurance matters from insurers and related organizations.
- Regulations are playing a key role in this with, for example, EU adoption of the NIS and GDPR directives, both aimed at hedging against cyber risks.
- Claims can help acquire significant expertise in understanding the unique risk characteristics for cyber carriers. This makes claims a revolutionary driver.
- The scope of service improvement has increased with the efficient use of analytics and management software.
Key knowledge for pre-policy risk assessment is discussed in detail along three main points:
- Business coverage and baseline assessment: including business-related knowledge and risk appetite.
- Provided coverage: whether it’s first-party or third party risk coverage, what risk does the insurer bear?
- Adoption standard – Audit strategy: understanding and monitoring policy compliance procedures.
The report, based on key takeaways from the assessment, shares the following ‘good practices:’
- Understand the importance of leadership roles and make it an imperative to have a Chief Information Security Officer (CISO) or equivalent with direct reporting lines to the CEO. Information security personnel must have clearly defined roles and responsibilities. Also assess the quality of resources employed on information security.
- Validate the existence of a comprehensive and formal information security program and evaluate the organization’s cyber security maturity.
- Check the effectiveness of the information security program. Are there clear incentives for employees who drive program success?
- Is there a formal incident response program?
- Confirm the implementation of security measures such as business continuity planning, data classification, etc. Obtain and evaluate information about existing encryption strategies and technologies involved.
- Verify third-party vendor management processes.
- Improve board oversight with clear notifications and approvals in relation to cyber security programs.
Key challenges for the cyber insurance market as identified by insurers include:
- Data related challenges on cyber security management.
- Lack of customer awareness on cyber insurance.
- Common understanding of policy terms and conditions.
- Lack of internal (technical) expertise.
- Cost calculation on the basis of an incident scenario.
- Utilizing predictive analytics for the assessment of potential risks and impact.
Part II: Recommendations:
- Encourage the active participation of the European Commission on ENISA cyber insurance activities
- Avoid the introduction of mandatory requirements that might undermine the cyber insurance market adoption rate
- Improve areas of pre-policy risk assessment identified as most wanting by insurers
- Invest in and advance the accumulating risk calculation
- Consider adopting common standards and methodologies
- Introduce explanatory sessions, and provide customer scenarios and generic examples of policy coverage
- Clarify policy language and offer a transparent underwriting process
Cyber Insurance Customers
- Be more open on sharing data, possibly under a legal agreement (e.g. NDA)
- Get informed, prepare, and document environments before requesting a cyber insurance policy
Link to Full Article:: click here
Digital Insurer's CommentsThis report is an excellent read on two levels: 1) It helps define good cyber-hygiene, which every insurer needs, and 2) It shares a framework for writing cyber insurance, which more carriers are considering as an option. Though this report is EU-specific, many of the findings and observations apply to insurers worldwide.
We write a lot about shrinking premium pools, in primarily personal auto insurance, caused by the digitization of risk (e.g., telematics, UBI, IoT). What we expect to write more about in the future is the greenfield opportunities open to insurers in entirely new classes of risk, such as cyber. Digital destroys premium, but it also creates it in new ways.
One of the key takeaways from this report is the value of claims. To win in these new markets insurers have to be willing to take losses and learn from them. Fortune favors the bold.
Link to Source:: click here