ITC 2015's panel on cyber insurance set out some good outlines for the topic, but I'm not sure we're ready to color in the picture yet. The center of this subject is a region of uncertainty.
Some of the speakers seemed to regard cyber risk as purely about data breaches. Loss of data is important for sure, but so are the other kinds of disruption (and destruction) that can be carried out using information and communications technology.
I want to pick on one comment made by the panel: We don't have good data on cyber – we lack a measure of the losses. Without loss data, we can't pool risk. But it's unlikely any one insurer will amass enough credible cyber loss data any time soon. So the industry needs to find a way to share cyber loss data without impacting competitiveness or breaking any rules.
If cyber loss data was in the public domain, or measurable by external actors, we'd be okay. As one panel member said, we have data for earthquakes but not for cyber. Information professionals within the insurance industry must see the cyber data problem as a trigger for collaboration. We need to share if our rating models are to have any meaning – and our customers to have the products they need.
Two other points from the discussion: Regulators could help by extending cyber protection requirements to small and medium sized enterprises; and insurers could help by having cyber insurance on their own risks! Both of these moves would definitely help awareness.