When assessing risk options for cyber-attacks, the natural response for corporate managers is to insure against the risk by paying a third-party to ‘indemnify and hold harmless’ against such a catastrophe. However, in mid-April this year, Insurance Journal reported that 3 out 4 corporate managers were forgoing cyber-insurance policies to cover data breaches despite the increase in cyber-related attacks. The reasoning for not buying cyber-policies range from a feeling that the organization’s internal controls are sufficient enough to the potential loss of data is just not significant economically in the eyes of the organization – most companies eventually emerged from high-profile data breaches (i.e. TJ Max, Gap, Inc., etc.).
The insurance industry’s response to why few organizations are buying cyber-insurance is entirely different. To emphasize this point, one need only to reference their own individual auto insurance policy. Comparing coverages the insured will notice that the auto policy terminology, definitions, and exclusions are, for the most part, universal amongst providers. The reason for this is not “collusive” in nature (although that could be arguable), but that auto accidents have been occurred for so long that the insurance industry knows how to “price” binding coverage. Cyber-attacks are a recent phenomenon for insurance companies to handle, and as a result, the policies being sold on the market are various and not uniform. There are more than 30 cyber-insurance carriers in the U.S. market, and they all have different policies, because of the lack of standards set in place. Ask 10 people, “what is the standard of care for safeguarding information?” and the answer will never be the same.
The financial industry says that PCI/DSS is the standard of care for safeguarding data, while the healthcare industry looks more to HIPAA regulations. Putting the cart before the proverbial horse, it is unrealistic to provide coverage if the standard of care is not established. Afterall, regulations around “data care” may not be sufficient for some industries, and in other industries, it may be cost prohibitive. Thus, that is probably the rationale for why 3 out of 4 corporate risk managers would rather “go it alone” from a risk management standpoint then to buy an insurance policy.