Challenges and opportunities ahead for cyber insurance industry

Underwriters are getting more savvy about quantifying cyber risk

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The dearth of data show­ing which com­pa­nies are doing an admirable job keep­ing cyber intrud­ers at bay—and which aren’t—is prov­ing to be a major bot­tle­neck hin­der­ing the cyber insur­ance mar­ket from tak­ing off.

Insur­ance indus­try lead­ers rec­og­nize that tens of thou­sands of orga­ni­za­tions glob­al­ly might be will­ing to pur­chase cyber insur­ance cov­er­age to off­set part of the risk of oper­at­ing in a threat-filled cyber econ­o­my. It’s clear the indus­try would love to see this vast, new sec­tor of com­mer­cial cyber poli­cies blos­som.

Free resource: How to build cus­tomer loy­al­ty by keep­ing data secure

How­ev­er, under­writ­ers con­tin­ue to strug­gle in attempts to assem­ble the actu­ar­i­al tables need­ed to struc­ture and price cyber poli­cies with any sort of con­fi­dence.

The result is “a frag­ment­ed and volatile business”—for under­writ­ers, as well as for com­pa­nies in the mar­ket to buy cyber insur­ance, accord­ing to a recent report from the SANS Insti­tute cyber­se­cu­ri­ty think tank and train­ing insti­tu­tion.

In “the ever-hos­tile cyber land­scape … the lack of his­tor­i­cal data presents a tremen­dous chal­lenge,” writes senior ana­lyst Bar­bara Filkins in “Quan­ti­fy­ing Risk: Clos­ing the Chasm Between Cyber­se­cu­ri­ty and Cyber Insur­ance,”SANS white paper co-spon­sored by Piv­ot­Point Risk Ana­lyt­ics and Advisen.

Accru­ing use­ful data

Actu­ar­i­al tables are com­posed of sta­tis­ti­cal records that allow under­writ­ers to assess the prob­a­bil­i­ty that a pol­i­cy­hold­er might file a claim. Much as with life, auto and home­own­er poli­cies, under­writ­ers work­ing in the nascent cyber insur­ance field seek as much data as they can get their hands on to help them build com­put­er­ized risk mod­els. Their goal is to price cyber poli­cies so that demand is met, with esti­mat­ed pay­outs for loss­es com­ing in much low­er than the total pre­mi­ums col­lect­ed over time.

Thus under­writ­ers want to ful­ly grasp how com­pa­nies are being attacked. They espe­cial­ly want to know what the best defend­ed orga­ni­za­tions are doing to repel data thieves, spies, extor­tion­ists, malev­o­lent insid­ers and hack­tivist groups. The more pre­cise­ly they under­stand attacks—and the bet­ter feel they have for the dai­ly prac­tices of effec­tive defenders—the more accu­rate­ly they will be able to struc­ture poli­cies and bench­mark pre­mi­ums.

Thomas Fuhrman, Marsh Risk Consulting managing director
Thomas Fuhrman, Marsh Risk Con­sult­ing man­ag­ing direc­tor

But at this point, cyber insur­ance under­writ­ers are des­per­ate­ly seek­ing use­ful data. No insur­ers have “suf­fi­cient data” to build “tru­ly good risk mod­els in cyber insur­ance,” says Thomas Fuhrman, man­ag­ing direc­tor at Marsh Risk Con­sult­ing, speak­ing at the 2016 RSA cyber­se­cu­ri­ty con­fer­ence in San Fran­cis­co ear­li­er this month.

With so lit­tle data to work with, insur­ance car­ri­ers “must essen­tial­ly guess at their expo­sure, reflect­ed in a mar­ket that is high­ly vari­able in both pol­i­cy terms and prices,” accord­ing to Filkins.

Rates don’t reflect cyber real­i­ty

The upshot is that insur­ance pre­mi­ums amount to “a com­mer­cial price” dri­ven by the unpre­dictable market—not a rate that more pre­cise­ly reflects the cyber risk for insur­ers and busi­ness­es, says Ben Bee­son, vice pres­i­dent for cyber­se­cu­ri­ty at Lock­ton.

In the mean­time, busi­ness­es and orga­ni­za­tions seek­ing cyber-insur­ance cov­er­age have lit­tle choice but to “bear the risk when faced with high costs, high deductibles and out­right denial of cov­er­age,” the SANS report finds.

Ben Beeson, Lockton vice president for cybersecurity
Ben Bee­son, Lock­ton vice pres­i­dent for cyber­se­cu­ri­ty

In the ear­ly stages of the cyber-insur­ance mar­ket rough­ly 10 years ago, insur­ers would meet with clients, make a rough esti­mate of the risk, then “cross their fin­gers” and hope they wouldn’t suf­fer a loss, Bee­son says.

Today, though, the cyber-insur­ance indus­try real­izes it must raise its game in the wake of cyber attacks on cor­po­ra­tions and gov­ern­ment agen­cies that have led to severe secu­ri­ty and pri­va­cy breach­es and loss­es of hun­dreds of mil­lions of dol­lars or more.

At the RSA con­ven­tion, Bee­son said that the insur­ance indus­try clear­ly must work close­ly with “peo­ple with tech­no­log­i­cal and ana­lyt­i­cal back­grounds to find a bet­ter way to price the risk.”

Insur­ance, infos­ec not on same page

One prob­lem: The insur­ance and infor­ma­tion-secu­ri­ty indus­tries view risk very dif­fer­ent­ly. In gen­er­al, insur­ers focus on risk man­age­ment and esti­mat­ing the finan­cial loss­es of attacks, while infor­ma­tion-secu­ri­ty experts focus on guard­ing against cyber attacks in the trench­es.

Devon Bryan, Federal Reserve System chief information security officer
Devon Bryan, Fed­er­al Reserve Sys­tem chief infor­ma­tion secu­ri­ty offi­cer

The two indus­tries are work­ing more close­ly now on best prac­tices and poten­tial busi­ness and reg­u­la­to­ry frame­works. But orga­ni­za­tions must find a com­mon mod­el and “speak the same lex­i­con, the same ver­nac­u­lar” for progress to be made more rapid­ly, said Devon Bryan, chief infor­ma­tion secu­ri­ty offi­cer of the Fed­er­al Reserve Sys­tem, at the RSA con­fer­ence.

Anoth­er obsta­cle for insur­ers: how to cov­er the unpre­dictable and crim­i­nal nature of cyber attacks, which dif­fer great­ly from fires, auto acci­dents and nat­ur­al dis­as­ters with a more known his­to­ry of risk assess­ment.

It’s not your nor­mal haz­ard,” Fuhrman says. “(In cyber attacks) you have a dia­bol­i­cal human on the oth­er side of the fence, intent on caus­ing trou­ble.”

The per­fect storm looms

The biggest loom­ing fear of insur­ers and infor­ma­tion-secu­ri­ty offi­cers is the dan­ger of “aggre­ga­tion,” or a per­fect storm of cyber attacks on many par­ties that cause incal­cu­la­ble finan­cial loss­es. Tack­ling that mon­strous issue may be the tough­est task for insur­ers and secu­ri­ty pros.

There’s an exis­ten­tial threat out there … an inabil­i­ty to see how inter­con­nect­ed the risk is,” Bee­son says. “If I have 10 dif­fer­ent com­pa­nies and they get hacked, I have a prob­lem. It’s very, very dis­con­cert­ing.”

David Bradford, Advisen co-founder and chief strategy officer
David Brad­ford, Advisen co-founder and chief strat­e­gy offi­cer

Despite the daunt­ing obsta­cles, cyber-insur­ance pros are bull­ish on their promis­ing $2 bil­lion mar­ket, expect­ed to grow to $7.5 bil­lion to $10 bil­lion by 2020, accord­ing to vary­ing esti­mates.

The enthu­si­asm for cov­er­age is pret­ty high, and we have a con­sen­sus in the insur­ance indus­try about what to talk about,” says David Brad­ford, co-founder and chief strat­e­gy offi­cer at Advisen. “But assess­ing risk is a very com­pli­cat­ed issue from a cov­er­age stand­point. We have a long way to go before it’s any sort of viable mar­ket.”

More sto­ries on cyber insur­ance:
Cyber insur­ance indus­try could face turf war, report warns
New expo­sures for SMBs spurs new need for cyber lia­bil­i­ty insur­ance

Despite bar­ri­ers, cyber insur­ance catch­es on in key sec­tors
Not all cyber insur­ance is cre­at­ed equal: Tips for busi­ness­es shop­ping for cov­er­age

 


Posted in Featured Story