An FT article today highlights the intersection of two issues that I've found interesting for some time: the common misconception that cybersecurity is just another word for data privacy, and the difficulty of building a cyber insurance market when there's not enough data to quantify cyber risk (yet).
(Freshfields Partner Tim Harkness likes to quip that when a lawyer says "interesting," he or she usually means "bad." In this case, his quip is spot on.)
On the first point, the article rightly highlights that cybersecurity is most definitely—absolutely, under no circumstances, I cannot stress this enough, please if you take one thing from this post, take note of this—not just about data privacy and data breaches. Data breaches are merely one element of the cybersecurity triad, the other two elements being the integrity and availability of systems. Companies must protect themselves against hackers who would corrupt and co-opt their systems for nefarious ends such as sending fraudulent wire transfer requests. And they must also protect themselves against hackers who would bring down entire systems for profit or just for fun.
The second point is that the market for cybersecurity insurance has been slow to develop because there's not yet enough data to build actuarial models covering the panoply of cybersecurity risks. It's getting easier to predict the magnitude and probability of losses due to personal data breaches. The variables there are relatively simple: the number of individuals about whom a company keeps sensitive data, the type of data kept, and so on. As the tally of data breaches climbs, it's easier to predict how many data subjects will suffer losses and how bad (ahem, "interesting") the losses will be. But it's still very difficult to quantify the probability and magnitude of something like the SWIFT hacks or a hack that brings down a bank's systems.
For previous posts on these points: