Following a series of well publicized data breaches, cyberinsurance is big business. A company's costs can soar after a data breach - not necessarily because of direct consequences of the breach itself, but because of the spike in customer queries. Organizations need cover for both direct losses and business disruption. Business Insurance magazine reports:
"Aon’s Mr. [Kevin] Kalinich said fewer than 5% of data breaches lead to costs of more than $20 million, and yet more and more companies are seeking to be insured for that and more to protect themselves against the shifting risk. Large customers are going to extremes, taking out coverage for data breach liabilities of as much as $200 million, while also taking $25 million deductibles to keep their premiums down."
The cyberinsurance market is heading for prime time. But: "What is missing from the equation, however, is standards. Insurers can try to standardize the risk from hacking attacks, but cyberinsurance still is not auto insurance, where carriers can make their customers wear seat belts as a condition of a policy."
I can hear some people saying: They're talking about a different kind of standard, not a data standard... The ACORD community shouldn't get all fired up because the word "standards" has been mentioned - data standards should wait on business definitions.
But that's not right. The standards the ACORD community creates are business standards. They're standards that get actualized as collections of bits and bytes. But they're not a whole other species. They are business definitions.
Think about it: How will the industry standardize the concepts, relationships and parameters needed to productize cyberinsurance, so that carriers can rate products correctly and customers can understand value? Everyone with an interest in the development of the business needs to express their needs, and understand the perspectives of others. They then need to agree on a common language for the domain.
This, I submit, is exactly what ACORD does. That the results of these deliberations is expressed in message standards, forms and data models is a technicality. (A technicality that means agreed standards can be immediately implemented by the industry.) If you know of a better way to meet this latest need of the insurance industry, I'd like to know what it is. What do you think?