By Phil Huggins is Vice President of Security Science at Stroz Friedberg
The heightened corporate interest has been driven, in part, by a similar explosion in cyber breaches. Attacks have increased in frequency, impact, costs and, significantly, captured the imagination of the general public and the media. A Wall Street Journal poll in 2014 identified that, as a result of US data breach notification laws, some 45% of Americans reported they or a household member had been notified their card data was breached. While US notifications have driven the perception of cyber risk, focusing on credit card and healthcare data breaches, there is also growing concern, especially in the utilities and energy sectors, about managing the much more costly risk of cyber business disruption.
Governments are promoting the cyber insurance market, especially in the US and the UK, as they see the market as a lever to drive much needed cyber security improvements in the private sector. Their expectation is that this will align risk assessments with good practice, while incentivising good risk management, thereby reducing the need for direct government involvement and regulation. The recent launch by the UK Government of the ‘UK cyber security: the role of insurance in managing and mitigating the risk’ report is just the latest manifestation of this strategy.
There are, however, some worrying pitfalls that need to be considered, as the market develops. Importantly, to avoid such issues, there is a need for joint innovation by insurers and cyber security specialists.
Most insureds are interdependent on each other for their security but, currently, they are not incentivised to invest if the lack of investment by another firm causes them harm. This leads to a ‘race to the bottom’ as firms invest less in protection compared to their peers.
Insureds' dependency on outsourced services creates a correlation in cyber risk, as the outsourcers become the common factor across industry sectors and geographies. Similarly, the technology used by insureds is highly homogenous; technology monocultures also exist across industry sectors and geographies, which means a single technology flaw could catastrophically affect swathes of businesses. These make portfolio segmentation problematic.
It is difficult for insurers to identify the cyber risks borne by the insured. Despite the cyber security industry being awash with data on the growing numbers and types of security breaches and replete with competing security frameworks and standards all purporting to be best practices, there is no reliable quantification of the effectiveness of the differing cyber security measures.
Without a causal link from implemented cyber security measures to improved risk outcomes, it is difficult to differentiate insureds.
From a premium perspective, they each get a general market cost, rather than an individual tailored cost. This incentivises no one to improve which, to insurers, is akin to a 'lemon market' for selling cyber risk.
There is also a moral hazard of sorts in that the purchasers of cyber risk insurance are not closely involved in the day to day cyber risk management which is often performed by IT staff who are incentivised to deliver business benefits over business protection, out of the sight of risk professionals.
These systemic issues are starting to become clear, as the cyber insurance market develops and the increasing involvement of governments. This challenge was recently highlighted by Stephen Catlin of Catlin Group, who has suggested that government-backed pools, such as those in place for terrorist attacks, may be required to counter the systemic and catastrophic potential of cyber risk. However, there seems to be limited appetite in UK government circles for such an initiative.
While the systemic issues may require government intervention, there are opportunities for insurers to provide innovative products that reduce frequency and impact, while incentivising behaviours that reduce the potential for harm.
These opportunities for innovation include:
Insurers measuring cyber resilience, rather than cyber security of insureds. This would address situational awareness; diversity of capacity; level of integration of functions and actions; internal feedback loops; and the ability to adapt, including the speed of adaptation to changing threats and circumstance. By improving these areas insureds are more likely to weather catastrophic events bruised but not broken, reducing claims.
Insurers monitoring the external indicators of cyber hygiene and regularly feeding these back to their customers, potentially tying this to a variable level of cover. This would incentivise risk professionals and help IT specialists to focus on measures that could reduce the frequency of claims.
Insurers acting as aggregators of cyber risk data across their portfolios and using new analytics techniques to develop insights to be shared with the portfolio to reduce uncertainty in insured cyber risk decision making.
Insurers providing trusted forums for information sharing among their portfolio, to spread the knowledge of adversary activities. Crucially, such measures would enable firms to respond faster, reducing the size of claims.
Insurers developing capability sharing groups across their portfolios, similar to the NATO model, where an attack on one is treated as an attack on all. This addresses the capability and skills shortage impacting all insureds.
Cyber insurers need to keep abreast of innovation across the cyber security profession, so that the uncertainty and impact of cyber risk across their portfolios can be managed. In parallel, it will become increasingly important to engage with governments, to ensure cover for catastrophic systemic risks remain feasible. The opportunities in this fast-growing market will be realised by the innovative and the 'calculated' risk takers.