The Future of Cyber Insurance: Training and Standardization

Steven Schwartz, Managing Director at CEO Quest and Vice-Chairman of the International Personal Data Trade Association has expressed his concerns about the future of the cyber insurance industry. As organizations advance to become “data companies” predominantly operating in a digital world, one where assorted options for platforms exists, a big question comes to light.

“How can the industry appropriately underwrite, analyze, and manage the most interconnected, dynamic risk in the world with a static piece of paper?” – Schwartz

It’s only a matter of time before the process of writing risk insurance premiums begins to change and the cost of cyber insurance rises. Organizations, cyber insurance brokers, and underwriters are all asking: what is the most effective method to confront cyber risk today? Behavioral surveys and experts both point to one reason for the poor cyber hygiene of employees: inadequate training.

Cyber insurance underwriters like Schwartz want as few claims as possible, but while employees remain to be the ‘weakest link’ in preventing cyber-attacks, receiving a small number of claims seems unlikely. Consequently, insurance brokers trying to link low-risk companies with cyber insurance underwriters often have difficulties properly evaluating an organization’s cyber risk.

Each training application is unique. It can be challenging to compare different organizations’ employee cyber awareness. Most underwriting apps verify whether an organization performs training, but few evaluate its frequency, effectiveness, or vendor. That leads to data without context. Data without context is useless.

Regarding risk aggregation, Schwartz says he hasn’t seen a consistent method to capture the same data points that conform to a specific industry classification. In other words, there is no ‘gold standard’ within the selective group of cyber insurers providing the coverage. The process of assessing cyber risk needs more standardization.

A solution making its debut is the Employee Cyber Readiness Audit Tool from the University of Massachusetts Dartmouth. This tool delivers a more in-depth evaluation of the cyber behavior of employees by incorporating a training aspect into the risk audit. It educates employees on the errors caused by bad cyber behavior and provides insurance brokers with the data they need to accurately measure the cyber risk of different organizations.

The tool was developed after a recent survey again revealed a significant disconnect between traditional training methods and employee cyber awareness. Responses from the most recent survey ranked even lower in the relevant categories of cyber awareness. The idea for a new, complimentary, and precise cyber risk audit tool was then formed. See Dr. Steven White and Timothy Shea’s findings here.

Corporate cyber-attacks become more prevalent each week. Incorporating cyber training will not only lead to cleaner risk audits and lower insurance premiums, but it will also produce a safer cyber world for future businesses. The tool is free of charge and will be released in early August.


Written by Ben Cook