Why cyber insurance isn't booming
Some form of cybersecurity insurance has been around for a long time, and while the risk of cyberattacks has risen steadily, the market to insure against it has lagged. If your organization still favors risk acceptance and mitigation over risk transfer (insurance) when it comes to computer systems, it's in good company.
There are about 5,000 firms selling property and casualty insurance in the United States today but only a few dozen selling cyber insurance, according to Andrew Braunberg, research director at NSS Labs in Austin, Texas. A chief reason that cyber insurance has not taken off is that it is difficult for carriers to compare risk from one company to another, and therefore difficult to differentiate pricing based on risk posture. It's hard to put a dollar figure on losses resulting from cyber attacks. Carriers struggle to get ahold of actuarial data on attacks. And there are externalities involved in cyber risk, such as suppliers and partners. Plus, there aren't any universal cybersecurity risk management standards or requirements.
"If insurance carriers can determine actuarially which security products reduce risk, then they can create a pricing schedule based on the security products deployed by each client," Braunberg wrote in a recent brief. "This would create market incentives for companies to deploy additional security technologies that would supply more data with regards to attacks and the efficacy of specific security products. Hopefully this would create a virtuous cycle of incremental improvements to security technologies and insurance carrier cyber security risk management strategies."
Breach notification laws drive some types of cyber insurance
Cybersecurity insurance that covers losses to an enterprise's customers in the event that personal data is compromised (i.e. third party insurance), has taken off a lot faster than first party cyber insurance, Braunberg notes. This likely has to do with the costs mandated under data breach notification laws. So, it follows that future laws and regulations regarding data privacy and critical infrastructure protection would drive growth in the first party insurance market.
Braunberg sees a big role for the federal government in motivating growth in this market. New information-sharing laws could be enacted. The liability of cybersecurity technology vendors could be limited. The feds could "directly seed the insurance market" by requiring government contractors to purchase cybersecurity policies. And, of course, the Securities and Exchange Commission could transform the "Disclosure Guidance" issued in 2011 into disclosure requirements.
"The point needs to be reached where buying cybersecurity insurance is a signal that a company is managing its risk competently," he writes. "The SEC is in a position to drive this shift in the United States."
Risk transfer sounds like a much better strategy than risk acceptance when it comes to computer networks and systems, but is it really better than earnest risk reduction? Wouldn't it be more cost-effective in the long run to properly invest in protecting stakeholders' interests than to transfer the cost of losses? Braunberg notes that the software industry's business model doesn't encourage the sale of a secure product at the outset because speed is rewarded over security, with the understanding that the product can be tweaked in future versions. To me, this would be a good place to start working on risk reduction. - Caron
More about cyber insurance and risk management: