The report, 'Incentives and barriers to the cyber insurance market in Europe,' highlights the fact that while cyber security is an important concern for European and national policy makers, businesses and citizens, the traditional coverage offered by Europe's insurance providers may, with some exceptions, not comprehensively address digital risk.
Obstacles to the development of an effective cyber insurance market include lack of actuarial data on the extent of the risk and uncertainty about what type of risk should be insured against. To address these issues, ENISA makes four recommendations:
- The collection of empirical data on cyber insurance in Europe, looking at types of risk insured, premiums paid and levels of payouts to determine future trends. The action could be taken by insurance underwriters, firms or regulatory authorities.
- Examining incentives for firms to improve their data security as a way for them to reduce their risk and financial liability if they breach data protection regulations. Fact finding with the European Commission would be a first step to understanding this area.
- The establishing of agreed frameworks to help firms put a measurable value on their information. The work could be assisted by privacy and information security advisors, underwrites and the European Commission. ENISA could also give further support.
- An exploration of the role of governments as an insurer of last resort, following other models where policy intervention is in evidence when catastrophic risk is involved. This could be investigated by EU Member State governments and the European Commission.
ENISA's Executive Director, Professor Udo Helmbrecht, said: "This new ENISA report indicates that there is potential for Europe's cyber security policies and legislation must be complemented by a prevention-focused cyber insurance market. As well as providing reassurance that proper cover was available, a developed market in this area would help to improve levels of cyber security by putting a true cost on cyber incidents and showing the benefits of implementing good security practices."