For example, CISOs will talk about the systems and processes that they have in place. Those are activities, not risk measures, said Corcoran.
"If I'm the CFO, I have no confidence in that answer," he said. "What the insurance company is offering to do is interpret between the technical organization and the risk organization."
Insurance firms have to learn to live with this, said Tim Francis, enterprise cyber lead at Hartford, Conn.-based Travelers.
"You may not necessarily have the foresight to predict every iteration," he said. "But you can build the framework and the structure and have the resources at our disposal to try to deal with those threats when they develop. One of the things that we've done at Travelers is that we've gone out of our way to hire resources that come with non-traditional insurance backgrounds."
For example, Travelers has hired technical experts, former FBI forensic investigators, and former cyber crime prosecutors, he said.
This allows Travelers to better understand their customers' security infrastructure and risks, and learn which types of vulnerabilities are most likely to lead to breaches.
"Companies that demonstrate stellar cybersecurity and data security will likely receive better pricing than companies with a bad history," he added.
"The larger trend that we've seen, and that Travelers has been on the forefront of, is providing our clients with risk management advice and best practices," he added.
Another such company is AIG with its CyberEdge service, which helps companies train employees on cybersecurity, assess their security infrastructure, close security gaps, monitor the dark net for emerging threats, and continually scan both their own and partner networks for vulnerabilities. Then, if a breach does occur, AIG will help a company recover with access to legal firms, forensics investigators, and public relations experts. To do all this, AIG partners with Risk Analytics, K2 Intelligence, IBM, BitSight, RSA, and Axio Global.
That allows insurance companies like AIG to move away from pricing policies based on paid insurance claims.
"From a cyber perspective, that vantage point is really really narrow," said Scott Kannry, CEO at New York-based Axio, a data sciences firm focusing on cyber risk.
"We believe that cyber risk can be solved," he added. "The information is there. It's just not being captured."
AIG isn't alone in forging relationships with cyber security firms.
Symantec, for example, recently partnered with Guy Carpenter & Company, the reinsurance arm of Marsh and McLennan.
"Symantec provides Guy Carpenter with technical knowledge and proprietary data to create a cyber-aggregation model that helps reinsurers gain a better understanding of their correlated cyber risks," said Pascal Millaire, vice president of cyber insurance at Symantec.
Sign up for Computerworld eNewsletters.