Computer Business Review | August 10, 2017
It’s clear that corporations want to buy insurance to reduce their exposure to losses from cyber-attacks, and insurers have responded to the need. However, most buyers are dissatisfied – the coverage amounts are low, and the covered events are too narrow. From the insurer’s point of view, it had to be this way, due to historic challenges with visibility into cyber risk and liability.
When everyone wants the same kind of policy, the insurer has to think about the systemic risk, and if that systemic risk is poorly understood, each individual policy has to stay small. Think of everyone in a Medieval town wanting to buy fire insurance at the same time – individually, they all want the same thing, but the insurer can’t take on the combined risk without understanding whether the houses are all in the same town, or made of the same flammable material.