ENISA report highlights critical barriers to effective cyber insurance market

Empirical evidence needs collecting and understanding to make market more active, says security agency

A report published today by ENISA – the European Network and Information Security Agency – has concluded that, although cyber security is a huge concern for European businesses, the coverage currently being offered by insurance providers is mostly failing to comprehensively address the true risks clients are facing.

The paper puts forward several recommendations to help the industry improve its offerings.

ENISA suggests that empirical evidence of the market is collected as cyber risk insurance is taken up, in order to more appropriately gauge prices, volumes and losses based on reality rather than, as now, rough analytical models. The report suggests that claims from firms with existing insurance contracts are more thoroughly investigated to pull out this data.

Secondly, the report claims that currently opportunities for victims to instigate collective action on policies are limited, as "this would interfere with the interpretation of personal data as a fundamental human right rather than a property right that can be traded".

Updating European consumer rights legislation in terms of information society services, says the report, could be a solution in this regard.

Finally, the report suggests disseminating frameworks to assist firms in "measurement of value of information" in order to help the insurance industry assess what aspects of data their clients actually find most precious, and to help write tailored policies accordingly.

Above all, the report states that governments themselves should be willing to step in as an insurer of last resort, which would help "build upon terrorism re-insurance as a model", effectively giving the insurance industry its own insurance – and thus giving it a more robust business model – as fears of nation state-level cyber terrorism increase.