The cyber insurance market continues to evolve, and major questions remain unanswered. Should policies cover regulatory fines? Should first- and third-party claims be addressed in separate policies? The list goes on.

For the consumer, here is an interesting thought experiment: Is a company having limited access to cyber insurance actually a good thing? Aside from niche exceptions (like GINA, HIPAA, etc.), there is a dearth of regulation pertaining to how private entities treat personal data that they collect. A security breach is one of the only instances in which a company exposes itself to liability for misuse/mistreatment of data, and in some instances, the resulting penalties and lawsuits provide a sharp kick in the rear to the offending company, often forcing the company to reassess and reinvest in its cybersecurity posture.

Cheap, easy access to expansive cybersecurity insurance policies would remove that incentive. If it becomes cheaper to buy insurance policies than to invest in improving cybersecurity internally, then many companies will simply fork over the cash. But so long as policies remain narrow and murky and limited, it is critical for companies to be rigorous about their internal security, which ultimately benefits customers housing data with these companies more directly than a cyber insurance policy ever would.