The European Network and Information Security Agency (ENISA) issued a report last week on the "Commonality of risk assessment language in cyber insurance". The aim of the report is to encourage and facilitate harmonisation in the cyber insurance market. Its findings and recommendations are valuable reading for those who have an interest in what is probably the fastest growing sector of the insurance industry.
A notable finding of the report is that despite the diversity of cyber insurance products on offer (and consequent buyer confusion) there is considerable consistency between the coverage offered, if one looks past the varying terminology.
In contrast, however, there is lack of uniformity of underwriting practices (as well as policy wordings). This flows from lack of consensus as to which security standards underwriting questionnaires should be based on.
It is of course true that certain cyber threats may pose a higher risk for some sectors than for others, depending on the nature of their business. However, whilst recognising this, the ENISA report makes a strong argument that, notwithstanding valid concerns about competitive advantages, the cyber insurance industry and its future clientele would benefit from greater consistency of both policy wordings and risk assessment. Consistent language in policies would ease product comparison and so make the prospect of buying cyber insurance less bewildering, particularly for small enterprises without dedicated risk managers. At the same time, by progressing towards consensus on the appropriate standards, it is suggested that the sector can move away from underwriting based on value judgement towards a more quantitative approach. This could in turn facilitate better analysis of aggregation or accumulation scenarios, thereby enabling better management of capital and enticing reinsurance capacity.