Cyber-Insurance: A Market-Based Approach to Risk Management
Recently, I spoke on an ICS-ISAC conference panel on cyber-insurance. One of the attendees asked “What is cyber insurance?” That was a good reminder of the lack of knowledge in the industry generally on this topic. We panelists explained that cyber-insurance covers the “cyber-exclusion” gap. Conventional insurance policies cover physical or accidental damage to IT facilities but if you experience a cyber attack you’re out of luck. Cyber-insurance closes that gap covering you from a cyber attack whether it’s from an external hacker or from an insider.
Cyber-insurance is still an immature space and even large Fortune 50 corporations with global facilities and very large policies are unlikely to have more than $10 million in cyber insurance. And you have to look at the language of riders on the policies very carefully. When it comes to policy language and large claims it’s still a tricky business and will remain so. But it doesn’t help that, in the words of one of our panelists “We really don’t have any idea what the actuarial risks of cyber attacks are.”
In other words, insurance has to benefit the buyer, the insurer and the industry. Buyers need a good selection of affordable premiums and packages suitable for their situation. They have to be confident that the insurer will live up to its end of the bargain, and that there is no practical or reliable preventative mitigation that costs less than the premiums. By the same token, the insurer must be comfortable that it has a large enough pool to spread the risk and that it understands the causal factors giving rise to claims statistically and can build them into the pricing model, coverage eligibility, and terms of the policies.
Increasing numbers and sizes of breaches and regulatory pressures are driving new interest in cyber-insurance. Target and Home Depot had recent breaches and face tens or hundreds of millions of dollars in losses. Many company executives are feeling helpless and uncertain in the face of cyber risks, seeing the growing frequency and consequences. Only the trial lawyers seem to have a good grip on what to do about breaches, and businesses are concerned about cascading liability flowing up and down the supply chain. Questions abound: How serious are the threats against us, what constitutes due diligence, what controls are effective, and how much effort is enough? And insurance companies are noticing the growing cost of the breaches and wondering if now is the time for them to get a piece of the action.
If markets are conversations through which participants exchange information as well as transact goods and services, then the lack of a common vocabulary between the security market and the corporate boardroom has held us back. A more sophisticated cyber-insurance market with broader adoption could facilitate a conversation around a vocabulary of quantified risk and quantified control effectiveness. It’s as if the security industry has been wandering around in the dark for years, not knowing who the threats are, how effective the controls against them might be, and even what certain types of incidents might cost. We’ve never been able to reduce questions of risk to dollars and cents for the boardroom conversation; we’ve never been able to guarantee that our controls would work; we’ve never been able to say how much security is enough or that if we had not invested in specific security measures that there would have been an incident.
There is currently much interest on the provider side for offering cyber insurance. Many providers are scrambling to get into the market. If they can actually make money then the market will grow quite rapidly. Of course if they fail then it will not grow so rapidly. Many security professionals are growing hopeful that cyber-insurance will succeed. For myself, I’ve have more than a passing interest in cyber-insurance; the topic aligns my passion for more effective cybersecurity with my business interests. That is to say, I’ll be available to support partners in Fearless Security performing assessments for cyber-insurers in the coming months and will write more about this in future posts.
- After the Breach discusses the role of cyber-insurance in incident response