Insurance companies typically have decades of data, if not more, on which to base their risk estimates.
That's not the case with cyber risk, however. There's very little historical data available, the data is not complete, and the threat landscape doesn't just change year by year, but day by day. There isn't even a standard set of definitions that everyone can agree on.
That's starting to change, as insurers expand their services so that they can better educate their customers about cyber risk and even help them defend against attacks before they happen and deal with the fallout of when a breach does occur.
I say potahto
One of the first problems when it comes to buying cyberinsurance is that nobody knows exactly what it means. Corporate financial officers, security managers, and insurance brokers have different understanding of risk, for example.
According to a recent cyberinsurance survey by the SANS Institute, only 30 percent of underwriters and 38 percent of information security professionals believe that they speak the same language.
Even within insurance industry itself, the language varies greatly from policy to policy, said David Bradford, co-founder and chief strategy officer at Advisen, which provides insurance data and analytics, and helped sponsor the SANS study.
For example, one policy might refer to a "privacy breach," another to a "data breach", and a third to "network security wrongful acts."
"Is a privacy breach the same thing as a privacy wrongful act?" he asked. "Is a data breach the same as a network security wrongful act?"
"And a lot of the language hasn't been tested in court yet," he added.
The problem is especially acute for small and midsized businesses and their insurance agents, said Dan Weedin, president at Toro Consulting.
"The insurance buyer has no idea about what they've got and what their risk is, and the insurance agent is also very limited in their knowledge," he said. "It's like the blind leading the blind."
Almost half -- 45 percent -- of firms are clueless as to whether their cyberinsurance policy is up to date for covering these types of threats.
Steve Malone, director of product management at security vendor Mimecast
The fact that the threat landscape is constantly changing makes it even more difficult to keep up, said Steve Malone, director of product management at security vendor Mimecast.
In a recent survey the company conducted, only 10 percent of IT experts said they believed that their cyber coverage was completely up to date, and of those who had cyber insurance, and only 43 percent were confident that it covered business email compromise fraud. There was a similar lack of confidence about new social engineering attacks.
Sign up for Computerworld eNewsletters.