European insurance policies may not adequately cover cyber insurance, the...

senior executives and decision-makers, there’s apparently still uncertainty about whether Europe’s market for cyber insurance is mature, it said in a report on incentives and barriers to the market. The U.K. has only a few insurers that offer specialist cyber-insurance products, compared to 30-40 U.S. carriers, it said. Its study found several possible factors slowing the European market: (1) Not enough robust actuarial data about the extent of risk and magnitude of potential losses. (2) Uncertainty about what risk is being insured. Companies seeking to cover losses from cybercrime or cyberterrorism may cause market fragmentation, particularly where theft or general or professional indemnity insurance might already cover general “cybersecurity” risks, it said. (3) Technology-driven fluctuations in risk and threats, making it hard from an actuarial perspective to predict future losses from past events. (4) Lack of upper limits on losses and absence of government intervention as “insurer of last resort.” (5) Visibility in the insurance market of the efficacy of other types of cybersecurity measures. (6) The perception that existing insurance products are enough to handle cyber risks. Other possible barriers to more cyber insurance are insureds’ lack of incentives to take steps to reduce the probability of loss after having purchased insurance; and the fact that insurance writers may not have enough private information at the time a contract is made to allow them to differentiate among different types of customers and price accordingly. Those theoretical roadblocks have been well documented, but there’s little empirical evidence about the strength and maturity of the market, ENISA said. It made four recommendations to try to kick-start the cyber-insurance market. They are: (1) Gather empirical evidence on the use of such products in Europe to determine current and future market trends. (2) Explore the possibility of collective action or redress -- in the form of class action lawsuits in combination with data breach laws -- to offer firms an incentive to take measures to mitigate financial risks of their cybersecurity programs. (3) Consider mechanisms to help companies gauge the value of their information. (4) Explore the role of government as insurer of last resort. There’s potential for Europe’s cybersecurity policies and laws to be complemented by a prevention-based cyber-insurance market, said ENISA Executive Director Udo Helmbrecht. A better market would help boost cybersecurity levels by putting a true cost on cyber incidents and showing the benefits of putting good security practices in place, he said.