Cyber attacks are one of the greatest threats to business and individuals alike because of the scalability of hacks. Once a hacker has the ability to hack 100,000 people, it takes no more effort or skill to hack a hundred million people (Meltdown and Spectre are proving that once either processing chip can be hacked once it can be scaled to a majority of computing devices in the world- and most cloud storage). We continuously hear how hacks are changing our lives. The Equifax hack hit nearly half the American population and this has prompted tens of thousands of people to freeze their credit. And as the internet of things is just starting to heat up, the possibility of real harm being done is going to increase exponentially.
Firms have the knowledge and ability to prevent such attacks from happening, but the incentive to invest heavily in making that happen has not been strong enough. It has been determined that Equifax could have prevented the hack and was informed of the vulnerability by Apache Strut and given a patch which they did not execute. So far their bill has been run up to the tune of $87.5 million. There are countless examples of preventative hacks where the cost/benefit was not worth the investment. On top of that, every time a company agrees to software providers' terms the software company is absolved of responsibility. So if the software provider is passing accountability to the company using their software, and the company is not taking serious financial losses from insurance policies covering losses (and apparently not too bad of reputational hits either), then where does the buck stop? It's with the insurance companies, and this is why Cyber Insurance has the ability to change everything.
Since cyber attacks of such magnitude of Wannacry and Equifax have been relatively infrequent, cyber insurance premiums have been depressed, but it is only going to get worse from here. The average cost of a data breach in 2017 was $3.62 million. For the moment most insurance contracts are written in broad language (no standard ISO form exists yet), but it is likely to be only a matter of time until they tighten the language and require a warranty if the contract is to indemnify a loss. This warranty will probably state that available software patches be installed within a specific window of time or else they would not have coverage, thus changing the behavior of companies risk management. If that language were included in Equifax's policy they would likely have had redundancies in place ensuring that the mistake to not patch the software was not made in the first place.
Many businesses do not believe they are vulnerable to hacks because they do not hold onto confidential information, however this is misguided belief. Any business that has a CRM system, relies on their computers to communicate to customers, has digital documents, or performs any business functions online is vulnerable. If someone decides to use ransomware to freeze your computers until you pay them to unlock them, your business could come to a screeching halt, plus you are out whatever ransom the hacker demands.