Insurance companies typically have decades of data, if not more, on which to base their risk estimates.
That's not the case with cyber risk, however. There's very little historical data available, the data is not complete, and the threat landscape doesn't just change year by year, but day by day. There isn't even a standard set of definitions that everyone can agree on.
That's starting to change, as insurers expand their services so that they can better educate their customers about cyber risk and even help them defend against attacks before they happen and deal with the fallout of when a breach does occur.
I say potahto
One of the first problems when it comes to buying cyberinsurance is that nobody knows exactly what it means. Corporate financial officers, security managers, and insurance brokers have different understanding of risk, for example.
According to a recent cyberinsurance survey by the SANS Institute, only 30 percent of underwriters and 38 percent of information security professionals believe that they speak the same language.
Even within insurance industry itself, the language varies greatly from policy to policy, said David Bradford, co-founder and chief strategy officer at Advisen, which provides insurance data and analytics, and helped sponsor the SANS study.
For example, one policy might refer to a "privacy breach," another to a "data breach", and a third to "network security wrongful acts."
"Is a privacy breach the same thing as a privacy wrongful act?" he asked. "Is a data breach the same as a network security wrongful act?"
"And a lot of the language hasn't been tested in court yet," he added.
The problem is especially acute for small and midsized businesses and their insurance agents, said Dan Weedin, president at Toro Consulting.
"The insurance buyer has no idea about what they've got and what their risk is, and the insurance agent is also very limited in their knowledge," he said. "It's like the blind leading the blind."
Steve Malone, director of product management at security vendor Mimecast
The fact that the threat landscape is constantly changing makes it even more difficult to keep up, said Steve Malone, director of product management at security vendor Mimecast.
In a recent survey the company conducted, only 10 percent of IT experts said they believed that their cyber coverage was completely up to date, and of those who had cyber insurance, and only 43 percent were confident that it covered business email compromise fraud. There was a similar lack of confidence about new social engineering attacks.
"Almost half -- 45 percent -- of firms are clueless as to whether their cyberinsurance policy is up to date for covering these types of threats," Malone said.
When it comes to buying insurance, it's all about the risk. Does the customer smoke? Are they a safe driver? Are there smoke alarms in their house?
With cyberinsurance, however, neither the insurance companies nor the enterprises buying coverage have a good way of quantifying risk.
As a result, prices can vary greatly, said Advisen's Bradford. For example, similar coverage from competing insurers can range from $10,000 to $50,000, he said.
"The models just don't exist like they do in the automobile or life insurance industry," said Casey Corcoran, vice president at FourV Systems. "The empirical data just doesn't exist yet for insurance companies to have a robust answer for what is the liability, what is the amount I need to ensure for. And we're in a time now where IT information is increasing at an exponential rate. How do you adapt a model to something that's changing exponentially, especially in an industry that's used to writing policies for a year at a time, or longer?"
FourV is one of many vendors attempting to help insurance companies and their customers measure cyber risks -- not just once, when the policy is first written, but on an ongoing basis.
It's like the way that Progressive offers a discount of up to 30 percent to drivers who install the company's "Snapshot" gadget in their cars, he said.
Some insurers, for example, are looking to move beyond just selling policies to offer complete risk-related services, he said. They'll help companies evaluate their risks before they sell the policies, and then help them deal with breaches that may occur.
Helping companies with their cybersecurity doesn't just help insurers better measure customers' risk, but it also provides a better understanding of risk to the enterprises they service, he said. "If I'm talking to the CISO, they're used to answering the question 'Are we secure?' with 'It's a tough job, but I got it.' When pressed, the information security organization will generally answer with technical jargon."
For example, CISOs will talk about the systems and processes that they have in place. Those are activities, not risk measures, said Corcoran.
"If I'm the CFO, I have no confidence in that answer," he said. "What the insurance company is offering to do is interpret between the technical organization and the risk organization."
Insurance firms have to learn to live with this, said Tim Francis, enterprise cyber lead at Hartford, Conn.-based Travelers.
"You may not necessarily have the foresight to predict every iteration," he said. "But you can build the framework and the structure and have the resources at our disposal to try to deal with those threats when they develop. One of the things that we've done at Travelers is that we've gone out of our way to hire resources that come with non-traditional insurance backgrounds."
For example, Travelers has hired technical experts, former FBI forensic investigators, and former cyber crime prosecutors, he said.
This allows Travelers to better understand their customers' security infrastructure and risks, and learn which types of vulnerabilities are most likely to lead to breaches.
"Companies that demonstrate stellar cybersecurity and data security will likely receive better pricing than companies with a bad history," he added.
"The larger trend that we've seen, and that Travelers has been on the forefront of, is providing our clients with risk management advice and best practices," he added.
Another such company is AIG with its CyberEdge service, which helps companies train employees on cybersecurity, assess their security infrastructure, close security gaps, monitor the dark net for emerging threats, and continually scan both their own and partner networks for vulnerabilities. Then, if a breach does occur, AIG will help a company recover with access to legal firms, forensics investigators, and public relations experts. To do all this, AIG partners with Risk Analytics, K2 Intelligence, IBM, BitSight, RSA, and Axio Global.
That allows insurance companies like AIG to move away from pricing policies based on paid insurance claims.
"From a cyber perspective, that vantage point is really really narrow," said Scott Kannry, CEO at New York-based Axio, a data sciences firm focusing on cyber risk.
"We believe that cyber risk can be solved," he added. "The information is there. It's just not being captured."
AIG isn't alone in forging relationships with cyber security firms.
Symantec, for example, recently partnered with Guy Carpenter & Company, the reinsurance arm of Marsh and McLennan.
"Symantec provides Guy Carpenter with technical knowledge and proprietary data to create a cyber-aggregation model that helps reinsurers gain a better understanding of their correlated cyber risks," said Pascal Millaire, vice president of cyber insurance at Symantec.
In July, New York-based Integro Insurance Brokers announced that it will provide coverage for the loss of intellectual property and trade secrets, which are typically not covered by cyberinsurance. The company is able to evaluate this risk through its own risk assessment program.
That includes access to third-party readiness and preventative services, according to James Sheehan, the firm's cyber risk practice leader.
According to Advisen's Bradford, if a company's intellectual property is stolen, the damage can be catastrophic -- but also difficult to quantify, and very difficult to insure.
Business email compromise -- also known as CEO fraud -- can cost a company millions, and is also frequently not covered.
Here, however, some businesses now have a simple answer.
In June, Los Angeles-based Grandpoint Bank announced that it will insure business bank accounts against funds transfer fraud and cyber deception, starting at $30 per month.
"It's a group policy that you just have to enroll for," said Petra Griffith, the bank's director of product development. "You don't have to go through an underwriting process. You just pay a monthly fee -- similar to buying cellphone insurance through the cellphone carrier. The cost is much less than if you went and got a separate insurance policy."