Cybersecurity is a real and growing concern for companies of allsizes, but it can be difficult to accurately assess the risk ofexposure and likelihood of a successful cyberattack. With theaverage cost of a data breach currently sitting at $3.62 million,according to the Ponemon Institute, it's not something you canafford to ignore.

Related: How to sell the value of cyber liabilityinsurance

For most businesses, the cost of reducing the risk to zero issimply too high. The threat of ransomware, employee error, softwarevulnerabilities and other risks is growing. It requires expertisethat is in short supply and the right tools to safeguard yourbusiness, but cyber insurance could cover the gap. No wonder thenthat the market is forecast to grow to almost $17 billion by 2023,according to P&S Market Research.

However, careless companies with poor security postures could bedriving up premiums for everyone else.

Rewarded for sensible behavior

The concept of insureds being rewarded for good behavior, in theform of lower premiums or other incentives, already has a greatdeal of traction in the insurance market. The advancement oftelematics has paved the way for new levels of driver monitoring,so that carriers can recognize good drivers far more easily thanbefore. Fitness tracking is beginning to have an impact in thehealth insurance field. Why can't the same concept be applied tocyber insurance?

Businesses are slow to implement preventive measures, accordingto KPMG, because they don't understand the value.Incentives in the form of premium discounts could change all ofthat, improving security, reducing incidents, and ultimatelyreducing what carriers must pay out. It's the win-win concept atthe heart of good insurance — reducing risk is good foreveryone.

How do you measure?

What is required for behavior-based cyber insurance to work isan accurate, swift and reliable method of measuring the currentstate of a company's security. Sending out in-depth questionnairesis fraught with difficulty. When technical questions might resultin denial of coverage or higher rates, it's tricky to guarantee theaccuracy of answers. Sometimes the prospect simply doesn't know,because an alarming number of businesses lack real insight into thepotential threats.

Related: Keeping client data safe while processing insuranceclaims

While auto-insurers can draw reliable data from black boxes tomap driver behavior and uncover risk, it is not that easy withcybersecurity. Carriers need metrics to help them distinguishbetween high and low risk applicants. The ability to assess theactual cybersecurity posture of the enterprise could be enormouslyvaluable. Just as FICO scores might be stirred into the mix whencarriers assess individuals, PCI and HIPAA compliance could beemployed when assessing companies and their partners.

Driving improvements

An automated and standardized method of fully assessing anorganization's security posture across the hybrid cloud andon-premises would give the carriers the data they need, but alsohelp highlight issues that companies need to remediate. Benchmarksand regulatory frameworks have clear rules that can form the basisof thorough assessments.

Related: The GDPR cyber insurance checklist: Are youcovered?

The investigation of potential threats and the business lossesthat might result from things like network downtime, data theft andreputational damage builds a strong case for the organizationimproving its security posture and points the way to do it. Ifbusinesses can reduce cyber insurance premiums and improve securityat the same time, the value becomes clear.

Cyber insurance is essential

Though the risks are acknowledged, uptake of cyber insurance hasbeen fairly slow so far. Last year's Cyber Market Survey from the Council ofInsurance Agents and Brokers (CIAB) found that just 32% ofrespondents' clients had purchased some form of cyber liability ordata breach coverage in the previous six months.

However, things are improving and this year's survey reports the demand for cyber insurance isgreater than any other line of business with 79% of respondentsreporting a “somewhat” or “significant” increase in demand.

The trend is clear. Cyber insurance is a vital part of anymodern security program. There's an opportunity here forforward-thinking carriers to integrate automated risk postureassessment and offer lower premiums for careful companies. In thetradition of great insurance products, this will drive tangibleimprovements and reduce risk for all concerned.

Jack Kudale is chief operating officer for Cavirin Systems, aprovider of continuous security assessment and remediation forhybrid clouds, containers and data centers. He was previously CEOof Lacework, a cloud security startup, and held senior roles atSnapLogic and CA Technologies. Contact him at [email protected].