Where are the peacock's feathers?

Smoking or non-smoking?

In some branches of insurance there are similar simple measures that enable the segregation of good risks from bad. Think of health insurance. A question such as “Are you are smoker or a non-smoker?” is an easy place to start. Of course, a more exhaustive questionnaire and some medical tests with blood work will provide a much more detailed assessment. But only a few simple questions will separate the sheep from the goats. This is the insurance equivalent of the peacock’s feathers.

So, the question for cyber is “Where are the peacock’s feathers?”. The sad answer is that they are still evolving. There are some published technical standards such as the NIST Cyber Security Framework, the ISO 27000 series standards and the UK Government’s Cyber Essentials certification which set out sensible guidelines. But it is still a fairly open question whether compliance with these guidelines substantially reduces cyber risk. After all, the very best companies still get hacked and even the National Security Agency itself has suffered breaches (e.g. Snowdon).

The fortuitous loss

The central issue here is the concept of the ‘fortuitous’ loss; a loss that is beyond the control of the insured. Government regulators in the USA and Europe impose fines for data breaches. But if the insured has followed best industry practice in terms of cyber security, is it really fair to be penalised in this way? What is needed is a widely accepted set of indicators – some peacock’s feathers - that can be used as a fortuity test to absolve insured corporates of blame. This is an area where close cooperation between the cyber security and insurance industries could lead to very fruitful results for both parties.