Organisations have relied upon cyber insurance as a tool to mitigate cyber-risk at the expense of implementing appropriate cybersecurity controls. However, the erosion of cyber insurance coverage, forcing insurers, reinsurers and organisations to reconsider the way forward for cyber-risk mitigation.  However, cyber-risk is a dynamic and unstable risk that today is poorly managed in general by public and private sector companies.  Demonstrated by the frequency, complexity and severity of cyber attacks; the ability of the insurance industry to economically underwrite and mediate cyber insurance claims, and recent interventions by the US government in cyber legislation and cyber regulatory enforcement.

The dynamic and evolving nature of cyber-risk and its transition from an extreme loss to an expected loss event, the failure of market forces to mitigate cyber-risk and the increased involvement of governments in the creation of cyber legislation and regulatory enforcement regimes are indicators of the challenges organisations and insurers face when managing cyber risk.  As demonstrated by increased insurance loss ratios, increased coverage gap and insurance caps.

Developments in US cyber legislation and regulatory enforcement transfer cyber risk management into the boardrooms of covered entities.  Regulation enforces changes to corporate cybersecurity risk management and regulatory reporting. Providing opportunities for the cyber insurance industry to oversee and assure the cyber-risks of their clients, and for organisations to implement the appropriate practices to manage cyber-risk.  That could be the start of equitable and economic cyber insurance and mitigate cyber-risk appropriately, in line with shareholder and market expectations.