Insurers have been blindly moving to expand access and coverage in cyber insurance despite their inability to confidently assess and quantify holistic cyber risk. Visibility of the exposure remains poor, and overstated modeling capabilities have brought unjustified confidence and misleading precision to materials presented to internal underwriting, risk management, auditors and clients.
Cybersecurity is an adversarial challenge—with victims subject to opportunistic and strategic targeting and constantly changing techniques and tactics. As a result, it is nearly impossible to understand the extent of exposure in such a dynamic risk landscape. The current evaluation methods, questionnaires and external scanning are simply inadequate, and the insurance community has embraced false precision in models built upon such limited datasets. This misguided confidence stems from teams and tools that are not focused on actual security methods.