Challenges and opportunities ahead for cyber insurance industry
Underwriters are getting more savvy about quantifying cyber risk
By Edward Iwata, ThirdCertainty
The dearth of data showing which companies are doing an admirable job keeping cyber intruders at bay—and which aren’t—is proving to be a major bottleneck hindering the cyber insurance market from taking off.
Insurance industry leaders recognize that tens of thousands of organizations globally might be willing to purchase cyber insurance coverage to offset part of the risk of operating in a threat-filled cyber economy. It’s clear the industry would love to see this vast, new sector of commercial cyber policies blossom.
Free resource: How to build customer loyalty by keeping data secure
However, underwriters continue to struggle in attempts to assemble the actuarial tables needed to structure and price cyber policies with any sort of confidence.
The result is “a fragmented and volatile business”—for underwriters, as well as for companies in the market to buy cyber insurance, according to a recent report from the SANS Institute cybersecurity think tank and training institution.
In “the ever-hostile cyber landscape … the lack of historical data presents a tremendous challenge,” writes senior analyst Barbara Filkins in “Quantifying Risk: Closing the Chasm Between Cybersecurity and Cyber Insurance,” a SANS white paper co-sponsored by PivotPoint Risk Analytics and Advisen.
Accruing useful data
Actuarial tables are composed of statistical records that allow underwriters to assess the probability that a policyholder might file a claim. Much as with life, auto and homeowner policies, underwriters working in the nascent cyber insurance field seek as much data as they can get their hands on to help them build computerized risk models. Their goal is to price cyber policies so that demand is met, with estimated payouts for losses coming in much lower than the total premiums collected over time.
Thus underwriters want to fully grasp how companies are being attacked. They especially want to know what the best defended organizations are doing to repel data thieves, spies, extortionists, malevolent insiders and hacktivist groups. The more precisely they understand attacks—and the better feel they have for the daily practices of effective defenders—the more accurately they will be able to structure policies and benchmark premiums.
But at this point, cyber insurance underwriters are desperately seeking useful data. No insurers have “sufficient data” to build “truly good risk models in cyber insurance,” says Thomas Fuhrman, managing director at Marsh Risk Consulting, speaking at the 2016 RSA cybersecurity conference in San Francisco earlier this month.
With so little data to work with, insurance carriers “must essentially guess at their exposure, reflected in a market that is highly variable in both policy terms and prices,” according to Filkins.
Rates don’t reflect cyber reality
The upshot is that insurance premiums amount to “a commercial price” driven by the unpredictable market—not a rate that more precisely reflects the cyber risk for insurers and businesses, says Ben Beeson, vice president for cybersecurity at Lockton.
In the meantime, businesses and organizations seeking cyber-insurance coverage have little choice but to “bear the risk when faced with high costs, high deductibles and outright denial of coverage,” the SANS report finds.
In the early stages of the cyber-insurance market roughly 10 years ago, insurers would meet with clients, make a rough estimate of the risk, then “cross their fingers” and hope they wouldn’t suffer a loss, Beeson says.
Today, though, the cyber-insurance industry realizes it must raise its game in the wake of cyber attacks on corporations and government agencies that have led to severe security and privacy breaches and losses of hundreds of millions of dollars or more.
At the RSA convention, Beeson said that the insurance industry clearly must work closely with “people with technological and analytical backgrounds to find a better way to price the risk.”
Insurance, infosec not on same page
One problem: The insurance and information-security industries view risk very differently. In general, insurers focus on risk management and estimating the financial losses of attacks, while information-security experts focus on guarding against cyber attacks in the trenches.
The two industries are working more closely now on best practices and potential business and regulatory frameworks. But organizations must find a common model and “speak the same lexicon, the same vernacular” for progress to be made more rapidly, said Devon Bryan, chief information security officer of the Federal Reserve System, at the RSA conference.
Another obstacle for insurers: how to cover the unpredictable and criminal nature of cyber attacks, which differ greatly from fires, auto accidents and natural disasters with a more known history of risk assessment.
“It’s not your normal hazard,” Fuhrman says. “(In cyber attacks) you have a diabolical human on the other side of the fence, intent on causing trouble.”
The perfect storm looms
The biggest looming fear of insurers and information-security officers is the danger of “aggregation,” or a perfect storm of cyber attacks on many parties that cause incalculable financial losses. Tackling that monstrous issue may be the toughest task for insurers and security pros.
“There’s an existential threat out there … an inability to see how interconnected the risk is,” Beeson says. “If I have 10 different companies and they get hacked, I have a problem. It’s very, very disconcerting.”
Despite the daunting obstacles, cyber-insurance pros are bullish on their promising $2 billion market, expected to grow to $7.5 billion to $10 billion by 2020, according to varying estimates.
“The enthusiasm for coverage is pretty high, and we have a consensus in the insurance industry about what to talk about,” says David Bradford, co-founder and chief strategy officer at Advisen. “But assessing risk is a very complicated issue from a coverage standpoint. We have a long way to go before it’s any sort of viable market.”
More stories on cyber insurance:
Cyber insurance industry could face turf war, report warns
New exposures for SMBs spurs new need for cyber liability insurance
Despite barriers, cyber insurance catches on in key sectors
Not all cyber insurance is created equal: Tips for businesses shopping for coverage