The hottest topic in the insurance world today is cyber riskinsurance, or coverage for the response to and fallout from cybercrime and breaches. As Reuters recently highlighted, the cyberinsurance market is set to double in 2014 over 2013 – heady times indeed for atraditionally slow-growth industry in search of new markets. Theneed for cyber insurance has never been more acute, with numerous,massive incidents at companies like Target (whose CEO subsequently lost his job) and eBay, as well as government agencies including the Office of Personnel Management.

Although these high–profile breaches have led to skyrocketinginterest in cyber insurance, however, they have also highlighted aglaring weakness in insurance companies' ability to price – andtherefore offer – such coverage: the lack of incident resolutionexpertise, technology and processes among clients requestingcoverage.

2014 has already been a banner year for hacking activity leadingto major cyberbreaches, from the aforementioned eBay and Targetbreaches – a trend which hit fellow retailers Neiman Marcus and MichaelsStores – to the alleged Chinese hack into the U.S. government's Office of PersonnelManagement's systems. According to IDG, the first half of2014 saw a 21% increase in data breaches over the same period in 2013. Atthis pace, 2014 will easily eclipse 2010 as the worst year on record for data breaches.

This has led to an explosion in interest in cyber insurance,helped along by widespread coverage of Target's ability to cash inon the $100 million of “tower” cyber insurance coverage it carriedinto the massive breach of its point-of-sale systems – to the tuneof $44 million in reimbursements through Q1 2014alone. Inevitably, this led to two simultaneous andopposite reactions: among potential insured entities, the interest level in cyber insurance exploded as morecompanies sought to mitigate their own growing exposure to cyberbreaches, while amongst insurers the Target example led to thesobering realization that they cannot effectively price cyber risk.

The cyber insurance market is being held back by a lack ofmaturity in two critical areas. First, insurers have an alarming inability to model client risk. Cyberinsurance is so new there is almost no empirical data for insurersto use – and empirical data is the currency of insurance. Withoutthis knowledge, it is virtually impossible for a policy to bepriced accurately. This is akin to writing an auto policy withoutknowing if the driver is a 45-year-old professional non-drinker ora 21-year-old college student.

As it has always done with new policy types, the insuranceindustry will eventually build up enough empirical data to makerisk modeling reliable. Getting there, however, will involvethreading the needle between covering too much risk (thus losingmoney on overly aggressive policies) and eschewing manageable risk(thus allowing competitors to profit from one's own timidity).

Second, insurers aren't yet requiring clients to become prepared to deal with major breaches. As the Target board hascome to realize, even a company with virtually limitless resourcescan be unprepared for a breach. For the insurer, this would be likewriting a fire policy without requiring the client to have asprinkler system. Why would insurance companies do such a thing?Because they approach the problem very much like their clients:that a breach is something to be prevented, not to be expected,detected and remediated quickly.

How can potential insureds and the insurance companies desperateto cover them with lucrative yet sensible policies find commonground? Three simple steps will go a long way toward achieving thatend:

• Realizing breaches are inevitable, focus more on quickdetection, response and remediation than prevention. Theidea that a network – any network – is impenetrable simply nolonger reflects reality. Prevention is obviously important, butwhat really minimizes exposure is speed of resolution with any incident. If Target taught usnothing else, it was that even a cybersecurity team of more than 300 that has spent “several hundredmillion” dollars on the latest protective gear can fail. Wherethe Target breach went from minor incident to major hack was inineffective incident response: it took Target weeks toshut down the breach, during which time tens of millions of useraccounts were compromised.
• Require a full-fledged incident resolution team andprocess. Arguably the biggest weakness for most companiesis their lack of knowledgeable talent in-house that can handle abreach's aftermath. Without the right people in place working with a sound processvetted in advance, breaches will inevitably get worse. Noinsurer would write a commercial building policy without a buildingsecurity team and response plan, so why treat cyber security anydifferently?
• Work with clients to develop best practices, startingwith “mean time to response (MTR).” The development ofsustainable health, fire, auto and life programs illustrates atried-and-true path forward, namely working with clients to developmetricsto indicate particularly risky (or healthy or safe) behavior.By far the best way to minimize any breach is to detect andremediate it as quickly as possible. Although MTR is a new metric,it has already gained momentum as a quick way of gauging acompany's cybersecurity maturity.

Cyber insurance is ready to explode in the coming quarters andyears as clients and insurance companies alike are clamoring forcoverage. But the only way to unlock the market's potential is forboth sides to collaborate on the development of best practices,especially in the area of rapid detection and response. Without“virtual sprinkler systems” as standard features of anycybersecurity program, cyberbreaches cannot be expected to becontained before major damage is done – an outcome no one wants tosee.