The recent growth in the cyber insurance market is already improving cybersecurity in some industry segments, and has the potential to do more -- if the industry is able to address its data problem.
One area where cyber insurance has already made an impact is in the retail space, said David White, founder and COO at Axio Global, a cyber risk company.
After the 2013 Target breach, it became very difficult for retailers to get a decent price for cyber insurance unless they had completely switched over to end-to-end encryption, or had a definite plan in place for doing that.
"I spoke to a large retailer at a conference a year ago who was wringing their hands because they could not buy cyber insurance -- the sort that would cover a payment card data breach," he said. "Their problem was that they had not allocated the funding to install end-to-end encryption and were not even planning to in the foreseeable future. The risk manager told me that they had approached the insurance market annually for several years and all she could get were 'FU quotes.' The cyber insurance industry has been a substantial force in driving retailers to adopt end-to-end encryption."
Next, White said, he expects insurance companies to start insisting on anti-phishing awareness programs, strong network segmentation, and network hygiene controls for industrial control systems.
"A decent analog is the presence of sprinkler systems and other fire suppression systems as a consideration for property insurance," he said. "Organizations don’t stop buying fire insurance because they install a sprinkler system, but they do get more attractive rates."
Insurance companies are helping set some general standards cybersecurity, said Mark Sangster, vice president and industry security strategist at eSentire.
And it's not just for the point at which the policy is written, he added. Insurers are adding language to contracts that require companies to maintain a particular level of security.
"For example, you must do annual cybersecurity training, and if you do those things, you can have the policy and it will cost you this amount," he said. "That's like them saying, if you're caught doing reckless driving, your auto insurance is null and void. I think they are one of the top influences at the moment when it comes to what cybersecurity policies and procedures need to be looked at."
Insurance companies are asking for minimum controls, agreed Jenny Soubra, head of the U.S. cyber practice at Allianz Global Corporate & Specialty. But they're also starting to go beyond that, with more services, she said.
Sign up for CIO Asia eNewsletters.