The cyberinsurance industry is a mess

Good essay on the current state of cyberinsurance.

So where does that leave the growing cyber insurance industry as it tries to figure out what losses it should cover and appropriate premiums and deductibles? One implication is that the industry faces much greater challenges than trying to quantify or cover intangible -- and perhaps largely imaginary -- losses to brands' reputations. In light of the evidence that these losses may be fairly short-lived, that problem pales next to the challenges of determining what should be required of the insured under such policies. Insurers -- just like the rest of us -- don't have a good handle on what security practices and controls are most effective, so they don't know what to require of their customers. If I'm going to insure you against some type of risk, I want to know that you're taking appropriate steps to prevent that risk yourself 00 installing smoke detectors or wearing your seat belt or locking your door. Insurers require these safety measures when they can because there's a worry that you'll be so reliant on the insurance coverage that you'll stop taking those necessary precautions, a phenomenon known as moral hazard. Solving the moral hazard problem for cyberinsurance requires collecting better data than we currently have on what works --and what doesn't -- to prevent security breaches.