"Almost half -- 45 percent -- of firms are clueless as to whether their cyberinsurance policy is up to date for covering these types of threats," Malone said.
When it comes to buying insurance, it's all about the risk. Does the customer smoke? Are they a safe driver? Are there smoke alarms in their house?
With cyberinsurance, however, neither the insurance companies nor the enterprises buying coverage have a good way of quantifying risk.
As a result, prices can vary greatly, said Advisen's Bradford. For example, similar coverage from competing insurers can range from $10,000 to $50,000, he said.
"The models just don't exist like they do in the automobile or life insurance industry," said Casey Corcoran, vice president at FourV Systems. "The empirical data just doesn't exist yet for insurance companies to have a robust answer for what is the liability, what is the amount I need to ensure for. And we're in a time now where IT information is increasing at an exponential rate. How do you adapt a model to something that's changing exponentially, especially in an industry that's used to writing policies for a year at a time, or longer?"
FourV is one of many vendors attempting to help insurance companies and their customers measure cyber risks -- not just once, when the policy is first written, but on an ongoing basis.
It's like the way that Progressive offers a discount of up to 30 percent to drivers who install the company's "Snapshot" gadget in their cars, he said.
Some insurers, for example, are looking to move beyond just selling policies to offer complete risk-related services, he said. They'll help companies evaluate their risks before they sell the policies, and then help them deal with breaches that may occur.
Helping companies with their cybersecurity doesn't just help insurers better measure customers' risk, but it also provides a better understanding of risk to the enterprises they service, he said. "If I'm talking to the CISO, they're used to answering the question 'Are we secure?' with 'It's a tough job, but I got it.' When pressed, the information security organization will generally answer with technical jargon."
What can cyberinsurance cover?
- Forensic investigation costs
- Computer and data loss replacement or restoration costs
- Increased operational costs
- Physical damage resulting from attacks on industrial control systems
- Lost business opportunities
- Public relations expenses and reputation management services
- Notification costs and credit monitoring for data breach victims
- Electronic theft and fraud protection
- Cyber extortion and ransomware
- Legal costs from defending against lawsuits by partners or customers
- Penalties and losses incurred due to inability to meet contractual obligations
- Expenses and fines related to regulatory and law enforcement investigations
- Fines or penalties imposed by payment card brands, services providers or acquiring banks
Sign up for Computerworld eNewsletters.