ENISA proposes a kick-start in EU cyber insurance

The European Network and Information Security Agency (ENISA) is calling on insurance providers to make cybersecurity a key policy.

However, a security expert told us the agency may struggle to get this idea regulated.

In its report, ENISA claimed that businesses and consumers could benefit from better protection for their computer systems and data if the cyber insurance market could be kick started.

It said that while cyber security seemed to be an important concern for European and national policy makers, businesses and the public, insurance providers across Europe in many cases   didn’t comprehensively address digital risk in their policies.

It said this was down to a range obstacles faced within the industry. This included a lack of actuarial data on the extent of the risk, coupled with uncertainty about what type of risk should be insured against.

To address these problems, ENISA made four recommendations. It said a collection of data in cyber insurance in Europe, looking at types of risk insured, premiums paid and levels of payouts to determine future trends, would help it see what holes needed to be filled and asked that this could be carried out by insurance underwriters, firms or regulatory authorities.

It added that looking at how incentives could encourage companies to improve their data security could also help them reduce their risk and financial liability if they breach data protection regulations.

Furthermore, it set out recommendations for an agreed framework to help firms put a measurable value on their information. It said this work could be assisted by privacy and information security advisors, underwriters and the European Commission, while it too was also prepared to provide further support.

One security expert welcomed the idea, but warned that not everyone will be happy to help.

Speaking with TechEye under anonymity, our source said:: “This proposal is a good idea. There are far too many loopholes at the moment which means when it comes to getting money back or reimbursing businesses for this type of loss, there’s a long time frame, which in some cases leads to no money or support at all.

“Cybersecurity, as I have always said, is something that still isn’t recognised enough, despite it being a key problem in today’s working world.

“However, while ENISA has good intentions and good ideas I feel it won’t be as straight forward as implementing this and asking companies to comply. Firstly, setting up such insurance policies will be complicated and costly.

“There also needs to be a blanket cover in place that all companies should offer and getting this standard right will involve policy and legislation. Something I don’t think will sit well with the industry or politicians who will have to oversee it.

“At a time when austerity measures are in place, this rather important idea could be seen as another unnecessary cost.”