As we all know, insurance is a legal requirement for anyone driving a car on European roads. The level of cover can vary from third party, through to fully comprehensive, with all policies underwritten using extensive actuarial data that factors in all the variables that can contribute to a claim needing to be made. These variables range from that pertaining to the driver, the use the vehicle is being put to, geography and the vehicle model itself.
Indeed we are now moving into a new era whereby real time 'telematic' data can now be collected to provide an even greater insight into how a vehicle is being driven. Evolving from a need to offer affordable premiums to young drivers, it is now set to go mainstream, with insurers expecting to use such technology to cherry pick the best customers. After all as an insurer the better you are at gauging risk, the more competitive the premiums and hopefully the more profitable you become.
As car insurance starts to factor in technology to fine tune an already extensive 'back catalogue' of actuarial knowledge, it could be said that those offering cyber insurance are only just dipping their toes into the water where underwriting is concerned. The upshot is that policies could err between the comprehensive yet unaffordable and the cheap and cheerful with an exclusion list as long as your arm!
Clearly there is a massive opportunity forming on the horizon, however I would contend that our knowledge when it comes to underwriting is still woefully short of what is required to write commercially competitive policies for the mass market.
PCI DSS is probably a good starting point on the basis that it is universally mandated, albeit not necessarily enforced. It is however flawed on the premise that it focuses on a single data asset and that for many validation is self assessed. That said, self assessment is the basis upon which most insurance policies are granted. Beyond PCI, things start to get a bit more woolly. The UK's Cyber Essentials program is gaining good momentum and is already linked to cyber insurance policies which is a significant step in the right direction.
PCI DSS could ultimately become eclipsed by GDPR, which is now starting to come into sharper focus. Indeed I see 2017, to borrow a golfing term, as being the equivalent of 'moving day'. We have got this far, are still in the game, however now is the time to really make an impact. Whilst not a prescriptive standard, GDPR will act as a catalyst for businesses to start to get their house in order.
And with Cyber Insurance and GDPR increasingly cropping up in the same stories my guess is that as we progress towards the latter, the need for the former will become more apparent.
That said, we need to be clear that Cyber Insurance is and I probably never will be there to pay out for GDPR transgressions. Whilst it might cover a business against claims it may have made against it by third parties, I have yet to hear of a policy that pays our against fines levied by regulators.
The chances are that both topics will garner considerably more attention with the might of GDPR, driving significantly greater efforts to manage cyber security risk where it relates to Personally Identifiable Information. These efforts will serve to better mitigate risk, which in turn should make businesses that much more insurable from a cyber perspective. Hopefully by then you will get what you pay for!
The first point is to look for an insurance policy that asks a breadth of questions. Given the complexities, changing threat and limited historic data that exists for cyber security, it is worthwhile seeking a more tailored policy. This will ensure that underwriters fully understand the level of impact you could be exposed to. Uncertainty generally results in higher premiums, and the cost of cyber insurance can be as much as three times higher than more established liability risks. As you would with a consumer policy, comparing policies could see both a saving made and a more bespoke one being written.