My colleague Anahita Thoms rightly reminds responsible companies that they simply must buy cybersecurity insurance. No excuses. But how does a company actually do that, practically speaking?
The cyber insurance market has traditionally been more developed in the US than in Europe. But a major insurance broker recently stated that the US market for cyber-specific insurance is coming undone. There’s not enough actuarial data for insurers to design profitable cyber policies with confidence. Faced with unpredictable losses of potentially staggering magnitude, many US insurers are deciding that cyber risk simply isn't something they're willing to swallow. (Though for the time being, some major insurers are still advertising cyber insurance on their websites.)
That leaves Lloyd's syndicates in London. That’s fine for companies with a sophisticated insurance broker, but harder for smaller US enterprises.
Of course, companies could rely on general commercial policies instead. But not withstanding a recent decision by the US Court of Appeals for the Fourth Circuit—which has been misleadingly reported as holding that cyber risks are covered under general insurance policies—this isn't a real solution. Increasingly, insurers are specifically excluding cyber risks from their general policies.
Nathan Bruschi, a writer at Wired magazine, has an idea for expanding the cyber insurance market, but it's a radical one. It's fundamentally a political decision for countries rather than a business strategy for companies: Countries should securitize cyber insurance into cyber bonds (not unlike catastrophe bonds) and then commit to holding the bonds of their historical adversaries. Not only would this bolster the market for cyber insurance, but it would give countries a stake in the cyber well-being of their adversaries.
First, each country would identify which companies and infrastructure are systemically important to the economy, and compel those entities to buy standardized cyber insurance policies. . . Second, each country would then securitize its insurance pool on the private market, creating country-specific Cyber Bonds. Third, at the next round of international cyber security talks, each country would agree to buy an untradable basket of each others’ Cyber Bonds and hold them in their sovereign wealth funds that pay out pensions and stabilize government spending. . . . Each basket would comprise Cyber Bonds from every country of the world and be weighted toward each country’s unique historical adversaries. ... With a system of Cyber Bonds in place, [countries] would have financial incentive to remove domestic safe havens for criminal hackers, share threat intelligence, and actively protect foreign companies.