My colleague Anahita Thoms rightly reminds responsible companies that they simply must buy cybersecurity insurance. No excuses. But how does a company actually do that, practically speaking?
The cyber insurance market has traditionally been more developed in the US than in Europe. But a major insurance broker recently stated that the US market for cyber-specific insurance is coming undone. There’s not enough actuarial data for insurers to design profitable cyber policies with confidence. Faced with unpredictable losses of potentially staggering magnitude, many US insurers are deciding that cyber risk simply isn't something they're willing to swallow. (Though for the time being, some major insurers are still advertising cyber insurance on their websites.)
That leaves Lloyd's syndicates in London. That’s fine for companies with a sophisticated insurance broker, but harder for smaller US enterprises.
Of course, companies could rely on general commercial policies instead. But not withstanding a recent decision by the US Court of Appeals for the Fourth Circuit—which has been misleadingly reported as holding that cyber risks are covered under general insurance policies—this isn't a real solution. Increasingly, insurers are specifically excluding cyber risks from their general policies.
Nathan Bruschi, a writer at Wired magazine, has an idea for expanding the cyber insurance market, but it's a radical one. It's fundamentally a political decision for countries rather than a business strategy for companies: Countries should securitize cyber insurance into cyber bonds (not unlike catastrophe bonds) and then commit to holding the bonds of their historical adversaries. Not only would this bolster the market for cyber insurance, but it would give countries a stake in the cyber well-being of their adversaries.
