Last week the White House issued a blog regarding potential incentives to support its cyber security framework initiative. This cyber security initiative, released in February of this year, aims to create a voluntary cyber security program. One interesting incentive highlighted is in regard to cyber security insurance.
I have spoken with many companies regarding cyber insurance. The most significant challenge for insurance companies is understanding how to evaluate the risk their clients present. Their current method of assessing (and, granted, there may be better methods followed by other insurance companies out there) is essentially a one page self-assessment questionnaire. If you answer "No" anywhere on the form you are denied coverage. However, does answering "Yes" really mean the control is actually effective and implemented? Does the person filling out the form even understand what the question is asking? I have always assumed that once cyber insurance becomes more prevalent and organizations actually start claiming losses, then we will see a shift in the way it is evaluated. I will be really interested to see the impact the executive order has on cyber security insurance. Stay tuned?