“The UK Government issued report suggest that as many as 98 per cent of large UK firms lack the insurance to help them recover from a serious cyber attack.
“The wider issue here that we keep coming back to is a lack of cyber skills within vertical industry sectors. The insurance industry simply does not have the skills to accurately assess cyber risk without partnering with specialist organisations. This is because the issues that need assessing are deeply technical in nature.
“The increasing number of compromised organisations experiencing high profile incidents demonstrates how misaligned current defensive postures are, versus the attacker’s advantage. It is going to be hard for an insurance company to assess effectively without a good understanding of motivations of attackers, versus the defensive maturity of the target.
“Picking out which insurance is correct for the business is tricky at the best of times, but especially with something as specialist as cyber insurance – companies will want to know there is the skills and knowledge to back up the cover, so they don’t feel they are throwing money away.
“One answer would be for the insurance companies to formally link with industry bodies such as CREST, to define a basic approach that could start to be used to assess risk, and then apply suitable premiums.
“A company who could show that it had achieved a better level of defence could then argue for its premium to be lowered, in line with the industry standard.”