One issue is that, traditionally, the insurance industry has been backward-looking, said Steve Durbin, managing director at London-based Information Security Forum.
But in technology, a focus on the past isn't particularly helpful when everything changes so quickly.
"The challenge for insurance companies is more of a cultural or mind shift change that we have to embrace," he said. "Insurance companies will have to look at predictive analytics until we reach the point where they can combine them with actuarial data. Until then, i think it will be quite challenging for them."
When there's a lack of hard data or strict compliance requirements, getting cyber insurance may be difficult or almost impossible.
According to the Information Security Fourm, there is currently little or no insurance available for catastrophic risks such as critical infrastructure failure or state-sponsored attacks, operational mistakes, reputation damage, industrial espionage, and loss of intellectual property or trade secrets.
According to the Ponemon survey, inadequate coverage was a major reason not to purchase cyber insurance for 36 percent of companies, tying for first place with the high price of premiums. And too many exclusions, restrictions and uninsurable risks were cited by 27 percent of respondents.
And if a company does get coverage, it may be difficult to get a payout.
"The onus is on the company to prove that their controls were adequate but they still got breached and the insurance company should pay up," said Javvad Malik, security advocate at AlienVault. "It's never an easy process."
It doesn't help sometimes that breaches don't get discovered for months or years.
"It's kind of like health insurance," he said. "Are you covered for existing conditions? This is where it really gets messy."
The problem of low-value policies
One of the reasons that insurance companies might not be doing as much research and analysis as they could, and requiring serious risk assessments on the part of their customers, is that the dollar values of the policies are still relatively low.
"They're not risking a lot," said Itzik Kotler, CTO and co-founder at SafeBreach, an automated penetration testing company. "As the industry grows, then they will revert into more means of measuring the risk."
SafeBreach has insurance companies as customers, he said, but for internal security testing -- not as a risk control for their clients.
"As the industry grows, and companies want to purchase bigger policies, with more money, then the question of how insurance companies will mitigate their risk will be more relevant," he said.
Sign up for CIO Asia eNewsletters.