Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Ira Scharf
Ira Scharf
Connect Directly
E-Mail vvv

The Problem With Cyber Insurance

Insurers have yet to develop an evidence-based method to assess a company's cyber risk profile. This can result in high premiums, low coverage, and broad exclusions.

Cyber insurance is one of the fastest growing segments in the insurance industry. With the tremendous increase in data breaches, companies are looking for insurance products to cover them in the event of a loss.

As the Boston Globe recently reported, one in three companies now has insurance coverage against cyber losses. Last year 20% more cyber insurance policies were sold than in 2012, according to a Marsh LLC report.

Recently disclosed high-profile breaches at Target, Neiman Marcus, and other large retailers highlight the tremendous impact a cyber breach can have on a company -- both financial and reputational. The potential losses can be significant. Some analysts see the Target breach costs exceeding $1 billion, far surpassing their insurance limits.

A gift that keeps on giving
Target's massive holiday breach was a giant gift to insurers that have been pushing these policies for years. For the rest of us, it was a wakeup call. And as the demand for cyber insurance has increased, insurers have come up with new ways to offer policies. In 2013, insurers rolled out 38 new cyber insurance products, according to the insurance analyst firm Advisen Ltd.

A senior executive at Aon Risk Solutions recently told The Wall Street Journal (subscription required): "Inquiries from potential buyers [of cyber insurance] have tripled since the recent hackings and a greater portion of callers are buying." Though demand has certainly grown, cyber insurance is still in its infancy, and there is still a lot of education to be done on the subject as more and more companies conduct a majority of their business online, opening themselves up to data theft.

Companies ranging from single-site firms to multinationals generally deploy a wide array of techniques in an effort to thwart cyber attacks. However, not all techniques are effective, and not all companies implement those techniques in a manner that achieves optimal results. Even when a company does have a strong risk management program, most insurers don't have an objective, evidence-based method to assess its risk profile. This uncertainty and lack of objective intelligence can result in policies with high premiums, low coverage, and broad exclusions.

Wanted: evidence-based cyber risk ratings
Questionnaires used in cyber insurance underwriting as part of the application process can be broad and subjective, as well. They give an indication of security policies and procedures that may be in place at a given company, but not how effectively those policies and procedures are implemented. Two companies with similar security practices may have very different security outcomes. A recent blog post by George Hulme outlines how questionnaires may lead to a false sense of security for risk managers.

Further compounding the problem is a well-known fact among security professionals: Hackers are becoming ever more sophisticated in the methods they use to attack companies, which makes it difficult for companies to keep up with the latest security practices.

An objective, evidence-based cyber risk metric is needed to measure security effectiveness, not simply policies and procedures, A cyber risk metric can offer underwriters a uniquely distinctive tool in helping to assess the potential for cyber loss at a particular company. Algorithms used to calculate cyber risk metrics can analyze vast amounts of data, including Internet communication and evidence of actual security compromises and vulnerabilities. Underwriters can use this information, in addition to their other underwriting procedures, to provide a critical window of visibility into a company's security posture.

Security ratings can transform the insurance industry by allowing insurers to compare companies empirically against one another and industry averages. This provides underwriters with an objective method to gauge the cyber risk of prospective insurers and offer insurers the capability to continuously measure and track the overall risk of their entire portfolio.

Ira Scharf is Chief Strategy Officer with BitSight Technologies. He previously was President of AirDat and served as General Manager of Energy & Risk for the Weather Channel. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/16/2014 | 8:02:01 AM
Check out FAIR
There is an exiting risk quantification framework called FAIR (factor analysis of information risk) which is available from the Open Group.  This framefwork provides a consistent and objective framework for quantifying cyber / information risk.  There is a vendor that offers software based on FAIR (CXOWARE) that does a credible job of quantifying risk.  Might be something worth looking into.
User Rank: Apprentice
6/25/2014 | 7:20:28 PM
Design for Actuarial Proxies and Underwriting Schema for Cyber Risk Already In Hand

Method, system, and service for quantifying network risk to price insurance premiums and bonds

United States 8494955

Issued July 23, 2013

A method for determining financial loss related to performance of an internetwork, comprising: collecting input information regarding performance of an internetwork usingtechniques that simultaneously record topology and performance; detecting at least one anomaly in at least one portion of said internetwork; translating said at least one anomaly into at least one operational risk for a financial entity thatunderwrites insurance premiums and bonds by: adding information about a first plurality of enterprises in an industry; estimating a total cost for said industry for said plurality of anomalies; and, determining respective costs for claims on insurance policies for said industry based on said total cost; or, interrogating at least a portion of the network topology; making estimates of internetwork conditions at the time of an anomaly resulting in a loss; and, calibrating a disbursement against acovered party's claims with respect to the at least one anomaly.

Problem solved.


Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/24/2014 | 8:25:17 AM
Re: unknown unknowns
This has been a fascinating thread with a lot of excellent points about the challenges of calcuating cyber security risk from an actuarial point of view versus the traditional cost/benefit, risk management perspective of an enterprise security team. Can there be objective, evidenced-based risk metrics in world of "unknown unknowns" that will offer organizations some additional protection in the even of a breach?  I hope so. But for the young cyber-insurance industry a lot remains to be seen. 
User Rank: Strategist
6/23/2014 | 10:18:35 PM
unknown unknowns
Underwriters have nominally avoided acts of war as legitimate risk opportunities, at least those operating with statistical evidence.  I cant imagine this market surviving given what we know about the origin of cyber attacks & PII compromise, etc.  Nature can be devastating but at least predictable.  These events will by nature continue to evolve as genuine gambling.  Perhaps both sides would be better off spending resources elsewhere.  Of course this will all go away when totally secure systems become available.  At that point cyber insurance will become irrelevant.
User Rank: Strategist
6/20/2014 | 10:18:30 PM
Re: The Problem With Cyber Insurance
Good comments Brian. I totally agree with your synopsis. CI is in its infancy and may take some time to mature.

Many CI carriers are unable to ascertain the value of data loss and what the compromised data may be. 

CI should not be seen as the panacea, but merely form a part of any good risk transfer/mitigation strategy.

Randy Naramore
Randy Naramore,
User Rank: Ninja
6/18/2014 | 12:55:59 PM
Re: High premiums, low coverage, & broad exclusions. Oh my!.
While I see how the idea of cyber insurance is attractive to anyone who is concerned with the possiblility of breach, it is a false sense of security. If you follow defense in depth approach to security and make sure employees are educated to the dangers of the internet then you are doing all you can to "insure" yourself and even then you might be breached. IMO.
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/18/2014 | 12:33:50 PM
Re: High premiums, low coverage, & broad exclusions. Oh my!.
I agree, I don't see how this type of insurance will be anything more than a paper shield.  Basically, any company that does business on the internet can fall prey to a currently undiscovered vulnerability (think heartbleed).  Those companies could do everything within their power securely and still experience a breach.  In short, what I am pointing out is that there isn't a low risk group to offset the losses of the high risk group, making this coverage ultimately unsustainable.
Brian Thornton
Brian Thornton,
User Rank: Apprentice
6/18/2014 | 6:46:25 AM
The Problem With Cyber Insurance
While there are plenty of good reasons to improve the evidence-based method to assess a company's cyber risk profile, I take issue with the statement, "This has resulted in high premiums, low coverage, and broad exclusions."

Rates are driven by loss ratios and suply and demand.  Over the last few years there have been many new markets entering the cyber insurnace world resulting in more competition and broader terms then just a year ago, especially for the smaller and mid-sized companies.  

This market is still in its infancy.  Compared to other lines of business there is a very low correlation to the insured's amount of data and how they protect it and their loss ratio.  The best risk can still easily have a bad loss and the worst risks can go clear for a long time.

As the market matures, this will become less of an issue.  I do agree that data collection in the underwriting process can provide a good basis long term risk comparison across a carrier's portfolio.  Things will no doubt move in that direction, but saying the lack of this in the industry has resulted in high premiums, low coverge, and broad exclusions is just not accurate.  Coverage has become broader and more competitive every year the product has evolved.

The insurance is part of an overall risk management process.  It starts with IT and involves senior management, education of the entire staff, and building an overall awareness of the exposures – ending with a component of risk transfer.  There are plenty of lower risk accounts that have less data and very good policies and procedures to balance out the higher risk accounts and a lot of carriers to share in the risk.  A comment that this insurance is unsustainable is ill informed.  Heartbleed has not resulted in any material impact as far as cyber insurance goes.
User Rank: Ninja
6/17/2014 | 6:17:05 PM
Re: High premiums, low coverage, & broad exclusions. Oh my!.
Also not filling me with the warm fuzzies, and as a mid-level engineer, I don't even have to worry about this type of analysis.  But, as someone in the trenches, I can see where this could go very wrong very quickly if not tightened up and regulated. 

Because "acts of God" are so unpredictable, it makes insurance on property difficult, but still doable with quantifiable damages and some level of predictability for some regions where earthquakes, tornados and typhoons occur with some certainty.  But how do you even begin to fully quantify the mind of a cyber criminal and what they might do, how they might do it, and what economic damage it will equate to?

For instance, how do you value 100,000 credit card numbers stolen?  What if the data includes more than just the numbers?  What if the criminal isn't interested in the numbers at all, but some other data?  What if the whole theft is a cover so someone doesn't realize the spending habits of a certain senator were what the target was all along?

And if you think people are getting ripped off now by life and property insurance scams, imagine the doors this opens...

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/17/2014 | 1:49:26 PM
High premiums, low coverage, & broad exclusions. Oh my!.
This doesn't seem like a very attractive solution -- at least for now. Ira, are there any circumstances where you think cyber insurance is a good idea? Or should companies wait until the cyber insurance market matures and canbegins offering some more comprehensive and affordable packages?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s):,,,
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.