Insuring items of value is considered standard practice when protecting investments. In the physical world, we have access to alarms, surveillance, and other measures that can function as reasonably effective deterrents. In fact, knowing the physical security controls protecting an asset provides reasonable confidence in determining the risk of that asset to theft.
In the digital world, only a limited amount of data has been collected to determine the risk of digital assets based on the security controls protecting them. This lack of data makes setting cybersecurity premium rates difficult, and rates often do not correlate with the actual level of risk. This unfairly penalizes those organizations that spend considerable resources protecting their assets, while also exposing the insurer to free riders (i.e., organizations that pay less for insurance than their true risk would warrant).
The cyberinsurance market must evolve. How can we provide more accurate assessments of risk? Read on for a new perspective on insuring digital assets.