I first spoke to a major insurer about 'cyber cover' nearly 12 years ago. I don't think we referred to it as 'cyber' back then, however there was a recognition that as businesses became more reliant on internet, there was going to be a need to cover any 'residual' risk that remained once all the right security controls had been put in place. This initial conversation pre-dated PCI DSS, which at the time was still an embryonic concept, with the various card brands only just starting to unite over a common standard that blended the merits of their own proprietary security programs.
Enterprise-level cyber insurance has matured significantly since then, however where SMEs are concerned it is possible that things have changed very little.
The need for cyber insurance is now greater than ever, yet despite things like PCI DSS and Cyber Essentials, insurers are still looking for ways to more effectively underwrite the risks they could be taking on.
So whilst we all supposedly thrive on choice, there does come a point when many of us would prefer not to have one, especially when we are not really qualified to make it! In such situations provided that we are being given a competitive price, most would be happy with what they are prescribed!
I would argue that cyber security is one such scenario. 'Use this product that comes with our policy and we will insure you against x,y,z' vs 'choose what you like and we'll decide whether or not you are a good risk and then charge you accordingly'!
After all without in-house cyber security expertise, many SMBs are at the whim of others, who may or may not be best qualified to help. Insurers occupy a unique place in the risk eco-system in so much as they are the ultimate arbiters when it comes to deciding whether you are doing enough to warrant taking on the risk. Surely this makes them best positioned to provide their customers with the right tools for the job, or as minimum, provide recommendations on what is going to work best for a given profile of business.
This approach will not only secure competitive pricing for their customers through the sheer economies of scale they can generate, they could also consider subsidies to bring new customers on board. In essence, the cyber insurance companies become the customers of the product vendors with their actuaries ultimately influencing the level of functionality and usability required to meet the needs of those who they are taking on as a risk.
It will also help to ensure that product vendors deliver pragmatic solutions that are fit for the markets they are serving. Indeed, I have often thought that that whilst the cyber security industry 'cuts it's cloth' according to the needs of the large enterprise customers, the mass SMB market can end up burdened with solutions that it is both, unable to manage let alone take full advantage of functionality wise.
Ceding a degree of influence to the insurers, might just be the 'game changer' required to make cyber insurance viable to the mass market and help society to really get to grips with the cyber security challenges we now face.
Discount incentives are a natural next step as the relatively young industry matures and expands. Not only will major insurers start rolling out these programs, but customers will begin to expect and demand them. No one wants to be breached, and through the insurance assessment and renewal process, organizations will be further motivated by the discounts to take steps to improve their security posture. The insurance industry has historically been at the forefront of promoting safety features that ultimately benefit society as a whole, and cyber insurance will be no exception.