Cyber-Insurance: A Market-Based Approach to Risk Management
Cyber-insurance has never taken off in the industry. But that may be about to change with recent announcements from a major underwriter that a larger pool of policies, and larger policies, than were provided in the past are now going to be made available. Once cyber-insurance becomes more common it will create a positive feedback loop between risk management, reporting and security metrics. For the first time the industry will have a way of pricing risk and making a connection between incidents and the effectiveness of controls on an actuarial basis.
Recently, I spoke on an ICS-ISAC conference panel on cyber-insurance. One of the attendees asked “What is cyber insurance?” That was a good reminder of the lack of knowledge in the industry generally on this topic. We panelists explained that cyber-insurance covers the “cyber-exclusion” gap. Conventional insurance policies cover physical or accidental damage to IT facilities but if you experience a cyber attack you’re out of luck. Cyber-insurance closes that gap covering you from a cyber attack whether it’s from an external hacker or from an insider.
Cyber-insurance is still an immature space and even large Fortune 50 corporations with global facilities and very large policies are unlikely to have more than $10 million in cyber insurance. And you have to look at the language of riders on the policies very carefully. When it comes to policy language and large claims it’s still a tricky business and will remain so. But it doesn’t help that, in the words of one of our panelists “We really don’t have any idea what the actuarial risks of cyber attacks are.”
Industry Challenges
In his recent newsletter, Dr. Fred Cohen wrote. “In order for insurance to work, several things have to be true. It’s not just a matter of some insurer offering to fix or pay for what happened. The insured has to pay for the insurance, and it has to be profitable for the insurer as well as a benefit to the insured. And perhaps even more important to me, effective insurance should drive improvements by the insured.”
In other words, insurance has to benefit the buyer, the insurer and the industry. Buyers need a good selection of affordable premiums and packages suitable for their situation. They have to be confident that the insurer will live up to its end of the bargain, and that there is no practical or reliable preventative mitigation that costs less than the premiums. By the same token, the insurer must be comfortable that it has a large enough pool to spread the risk and that it understands the causal factors giving rise to claims statistically and can build them into the pricing model, coverage eligibility, and terms of the policies.
None of these things have been true for cyber-insurance in the past. Security has been a technical mystery to business people; the insurance industry has provided uneven support, and some of existing insurance policies have gotten a bad reputation as being a lousy deal or not paying off. But these are not insoluble problems. Complicated though it may be, IT security is arguably less complex than health care. And at one point insurers despaired of being able to cover medical malpractice because of its complexity. However they eventually found the solution: bring in the doctors to help develop the policies. Today, the security industry has a chance to do the same.
Driving Forces
Increasing numbers and sizes of breaches and regulatory pressures are driving new interest in cyber-insurance. Target and Home Depot had recent breaches and face tens or hundreds of millions of dollars in losses. Many company executives are feeling helpless and uncertain in the face of cyber risks, seeing the growing frequency and consequences. Only the trial lawyers seem to have a good grip on what to do about breaches, and businesses are concerned about cascading liability flowing up and down the supply chain. Questions abound: How serious are the threats against us, what constitutes due diligence, what controls are effective, and how much effort is enough? And insurance companies are noticing the growing cost of the breaches and wondering if now is the time for them to get a piece of the action.
Increasing numbers and sizes of breaches and regulatory pressures are driving new interest in cyber-insurance. Target and Home Depot had recent breaches and face tens or hundreds of millions of dollars in losses. Many company executives are feeling helpless and uncertain in the face of cyber risks, seeing the growing frequency and consequences. Only the trial lawyers seem to have a good grip on what to do about breaches, and businesses are concerned about cascading liability flowing up and down the supply chain. Questions abound: How serious are the threats against us, what constitutes due diligence, what controls are effective, and how much effort is enough? And insurance companies are noticing the growing cost of the breaches and wondering if now is the time for them to get a piece of the action.
Cyber security seems like a problem that’s ripe for a risk-based, market solution. If insurance companies can determine standards of practice that are more effective and systematically drive the deployment of more effective controls throughout the industry, the level of losses might stabilize. We’ve seen a precedent before in the jewelry business where adoption of a standard set of protections across all policy-holders reduced losses, for example, years ago.
More than Just Risk Transfer
If markets are conversations through which participants exchange information as well as transact goods and services, then the lack of a common vocabulary between the security market and the corporate boardroom has held us back. A more sophisticated cyber-insurance market with broader adoption could facilitate a conversation around a vocabulary of quantified risk and quantified control effectiveness. It’s as if the security industry has been wandering around in the dark for years, not knowing who the threats are, how effective the controls against them might be, and even what certain types of incidents might cost. We’ve never been able to reduce questions of risk to dollars and cents for the boardroom conversation; we’ve never been able to guarantee that our controls would work; we’ve never been able to say how much security is enough or that if we had not invested in specific security measures that there would have been an incident.
If markets are conversations through which participants exchange information as well as transact goods and services, then the lack of a common vocabulary between the security market and the corporate boardroom has held us back. A more sophisticated cyber-insurance market with broader adoption could facilitate a conversation around a vocabulary of quantified risk and quantified control effectiveness. It’s as if the security industry has been wandering around in the dark for years, not knowing who the threats are, how effective the controls against them might be, and even what certain types of incidents might cost. We’ve never been able to reduce questions of risk to dollars and cents for the boardroom conversation; we’ve never been able to guarantee that our controls would work; we’ve never been able to say how much security is enough or that if we had not invested in specific security measures that there would have been an incident.
Insurance, on the other hand, provides a way of pricing risk. The theory is that to some degree, risk could be quantified as the cost of your premium plus the cost of your deductible plus whatever residual risk you estimate will not be covered by the policy. The controls that are effective are (at least) those that your insurance company requires you to deploy. And as more companies are covered by cyber-insurance, as insurance companies gather data from multiple risk assessments and incident reports they will become still more sophisticated about what they ask companies to do in order to get the best premiums or to be covered at all. Insurance will function like a giant industry feedback loop envisioned in the figure at the beginning of this post.
Conclusion
There is currently much interest on the provider side for offering cyber insurance. Many providers are scrambling to get into the market. If they can actually make money then the market will grow quite rapidly. Of course if they fail then it will not grow so rapidly. Many security professionals are growing hopeful that cyber-insurance will succeed. For myself, I’ve have more than a passing interest in cyber-insurance; the topic aligns my passion for more effective cybersecurity with my business interests. That is to say, I’ll be available to support partners in Fearless Security performing assessments for cyber-insurers in the coming months and will write more about this in future posts.
There is currently much interest on the provider side for offering cyber insurance. Many providers are scrambling to get into the market. If they can actually make money then the market will grow quite rapidly. Of course if they fail then it will not grow so rapidly. Many security professionals are growing hopeful that cyber-insurance will succeed. For myself, I’ve have more than a passing interest in cyber-insurance; the topic aligns my passion for more effective cybersecurity with my business interests. That is to say, I’ll be available to support partners in Fearless Security performing assessments for cyber-insurers in the coming months and will write more about this in future posts.
Related Posts
- After the Breach discusses the role of cyber-insurance in incident response