Cyber incidents are considered the No. 1 emerging risk for enterprises long-term. No surprise, then, that cybersecurity insurance policy premiums are approaching $2.75 billion a year. Some experts believe this figure will grow to roughly $20 billion by 2025.
For scores of insurance companies cashing in on the booming corporate cybersecurity insurance market, it’s a great opportunity. Deductibles are high, lots of things are excluded from coverage, and policies are rife with tight-fisted caps – the maximum amounts a victim of a cyber attack can receive.
This is great for insurers but bad for the multitudes of companies that purchase their insurance – estimated at one in three companies. And there are far more of the latter.
This begs the question of whether cybersecurity insurance – an easy sell amid the backdrop of seemingly endless reports of successful cyber breaches – is worth the money. The market thinks so. But the market isn’t always right, especially when the herd instinct kicks in.
Debate aside, it’s probably fair to say that the current cybersecurity insurance is generally better than no cybersecurity insurance, if for no other reason than most companies seem unable to ward off every potential breach lurking in a cascade of attacks. The problem isn’t entirely the fault of insurers themselves, which are hamstrung by a vexing combination of poor visibility into the cyber risk exposure of the ensured and tight-lipped victims of cyber breaches. When they are struck, they hesitate to spill the beans more than necessary because it isn’t good for business. This means underwriters must struggle with insufficient visibility and actuarial data in developing policies and pricing them properly.
More Transparency Needed
What is the answer? Companies must open up more and insurers must work harder to get the facts they need, not just from the company itself but from all vendors with access to its computer systems – huge contributors to security lapses. What is needed is the development of an evidence-based method to assess and monitor a company’s cyber risk profile. This is the foundation of security ratings, enabling insurers to compare companies empiric data against one another and industry averages.
The vendor piece of the problem may eventually be mitigated, in part, by startups like CyberGRX, a digital clearinghouse for cyber risk and an investment of Allegis Capital’s.
The Genius of Hartford Steam Boiler
The corporate piece of the problem could be solved by a repurposed version of old-school Hartford Steam Boiler (HSB), a division of German reinsurance giant Munich Re and the 151-year-old kingpin of an engineering approach to the equipment breakdown insurance market.
HSB’s 1,200 engineering and inspection services workforce serve millions of locations in North America, carefully checking not only that a company’s gear is properly insured at a fair price but also implementing procedures to minimize the filing of claims.
The Roots of Cyber Insurance
The origins of cyber coverage date back more than 20 years. Back then, it wasn’t uncommon for technology companies to buy errors and omissions (E&O) insurance, which covered claims arising from technological errors while offering services. This was eventually extended to include other things, such as a software product bringing down another company’s network, unauthorized access to a computer system, destruction of data, or a virus impacting customers.
Later, policies were expanded to cover breaches of confidential information, helping companies in the event that customer information was stolen via the Internet. This appealed to retailers and hospitals with considerable consumer data but not in need of E&O insurance. These companies needed a standalone insurance policy covering only data breaches, heralding the specific birth of the cybersecurity insurance policy.
Today’s missing cybersecurity actuarial tables are a huge problem and clearly inflate insurance premiums while narrowing coverage. The tables comprise statistical records, allowing underwriters to assess the probability that a policyholder might file a claim. These are then used to build computerized risk models.
Why Actuarial Tables Matter
Ultimately, actuarial tables enable insurers to meet a twofold goal: (1) Price cybersecurity policies to sell, and (2) make sure claims filed over time are much lower than premiums collected. Insurers today are accomplishing the second priority but not the first. Almost every sizable company should have cyber insurance, not a minority, much like every homeowner needs homeowner insurance.
What underwriters need to have – and do not today – is a good grasp of how companies are being attacked. In addition, how are the best-defended companies repelling attacks? The more underwriters know, the better they can structure policies and set policy premiums. Today, guesses about exposure are rampant.
As illustrated by the colossal attack via a refrigeration contractor on Target Corp. in 2014, one of the hardest places for companies to protect from cyberattacks are the holes often opened by companies closest to them. CyberGRX has designed a software platform and business processes to guide companies in assessing their security risks and those of their partners. Assessments are compiled from member company reports, but also from a host of outside signals, such as news reports and threat reports from security companies.
A Cyber Cure-All Is Not Imminent
A cybersecurity panacea is not in the cards. That would suggest that the insurance itself is almost an afterthought, and that is ridiculous. Cybersecurity insurance, unlike many other kinds of coverage, does not insure against a natural force. It insures instead against very crafty criminal behavior, which is always evolving, purposeful, and even more dangerous.
Then, too, there are some key uncovered items, such as reputational harm and the lost value of intellectual property. The hope is that policies will continue to evolve for the better. If they do, these shortfalls will be only minor irritants, as least in comparison to today.