Assurance in Cyber Insurance?
By: Greg Garcia
The cybersecurity insurance market is growing but still estimated at only $2.5 billion per year. Some view the cyber insurance marketplace up to now as somewhat of a failure to launch.
Slow growth is attributed to a few factors:
- Insurance companies do not yet have the benefit of a more uniform industry application of standards of practice to assess and measure cyber risk;
- There is insufficient cyber incident data that would assist insurance companies with accurate understanding and measurement of cyber risk for policy underwriting purposes. While there are data breach reporting requirements in most states, those reporting requirements don’t provide enough actuarial support, and data breach against customer facing services is only one of many types of destructive/disruptive/costly cyber incidents;
- Lack of clarity or uniformity of expectation between insurers and insureds in the cyber security insurance market may lead to litigation between insurers and their customers when underlying claims are filed.
Compounding complexity in the emerging cyber insurance market is the growth of disruptive internet and communications technologies that will introduce new liabilities implicating privacy, security, safety, and interoperability. Innovations in mobile and industrial Internet, the Internet of Things, self-driving vehicles, and cloud services, among others. These will challenge insurance companies to build a profitable risk management model for cyber insurance.
To Fire on All Cylinders
Growth of the cyber insurance market is at a positive inflection point, and acceleration of that growth could get an assist with three key developments:
- More uniformity and transparency about cybersecurity risk measures, including those used to develop cyber insurance policy offerings. Insurers appropriately use their own competitive secret sauce to convert actuarial data to pricing structures for insurance policies. But the market is likely to scale faster if industries develop agreed upon standards of practice that are generally accepted references for assessing cyber preparedness and determining what needs to be done to reduce risk. This can include, for example, the National Institute of Standards and Technology Cybersecurity Framework, or, for already-regulated industries like financial services, regulator guidance found in the Federal Financial Institutions Examination Council.
- Agreement on a common nomenclature for categories of risk as a way to score and value that risk for insurance pricing purposes. Establishing a common breach nomenclature for insurers and insurance consumers gives the customer and provider an apples-to-apples ability to negotiate premiums based on mutually understood expectations and commitments. One such common metric or methodology in use, though not universally, is FAIR (Factor Analysis of Information Risk), an international standard for valuing and scoring risk, performed by third-party vendors.
- A market/incentive-based cyber incident reporting infrastructure. The U.S. Department of Homeland Security (DHS) has conducted several workshops over the past three years to explore what is needed for insurance companies to design better cyber insurance policies, and how insurance-consuming companies can better benchmark their preparedness and risk against industry trends. The result is a proposal for a privately-managed “data repository” to promote cyber-incident information sharing and analysis. Such a data repository would serve as a clearing house that facilitates cyber risk awareness and analysis; identification of key risks and effective controls; informed benchmarking, and enhanced modeling and forecasting. The dilemma for government and industry is how best to incentivize insurers and insureds to report cyber incidents—using agreed nomenclature such as discussed in #2—in order to improve transparency in the cyber insurance market and, ultimately, to inform the development of a higher level of cybersecurity preparedness across the commercial ecosystem with minimal intrusion by the government
Some of these market drivers may well occur organically, but government can play a constructive role, as DHS has done in convening industry stakeholders in a series of workshops, and by acting strategically toward a coherent cybersecurity policy that forges regulatory uniformity for cyber risk management. As with any emerging market that can occasionally stutter in its acceleration, cyber insurance stakeholders and government can align thinking and unity of effort toward achievement of better cybersecurity for companies and consumers, and a more robust and profitable cyber insurance market.