Cyber Security Insurance - Part 4: Current General State of Cyber Security Insurance
Daniel Garrie
Founder @ Law and Forensics | Cybersecurity, E-Discovery, Digital Forensics, Privacy, Compliance
As insurers are becoming increasingly reluctant to provide coverage for data breach losses under CGL policies, they are writing more and more policies specific to cyber security, causing cyber security insurance to become the fastest growing segment of the industry. However, the unpredictable probability and costs of data breaches, among other factors, make cyber security insurance rather expensive. Premiums for cyber security insurance totaled $1 billion in 2012 and $1.3 billion in 2013. While the cost of cyber security insurance has just recently begun to go down to some degree, many businesses still consider it to be too costly.
One of the difficulties associated with the high costs of cyber security insurance is that it can put companies in a position where they will have to choose between spending money on cyber security insurance or investing in technology that will improve their cyber security. Should the insured purchase a cyber security insurance policy that indemnifies it against state sanctions, administrative fines, property damage, business interruption, and consumer lawsuits arising from a data breach, it would have little incentive to devote sufficient resources to its information security infrastructure.
This creates something of a lose-lose-lose scenario between (a) the parties entrusting their data to an insured; (b) the insurer; and (c) the insured itself. Those whose data are at stake are more likely to suffer from inadequate protection of their information; insurers may lose money by becoming liable for unexpectedly large or frequent data breaches on their insureds; and the insured is more likely to be hacked, which, even if monetary losses are covered, can result in long term reputational damages and internal disruption for a company.
More reasonably priced premiums can help improve the situation. Offering lower premiums for companies with better cybersecurity would help incentivize companies to devote more resources to their cybersecurity infrastructure. The idea is that insurers are willing to offer reduced premiums to insureds who take steps to decrease the likelihood or extent of the insurer’s liability. This type of model is common in other fields of insurance. In the context of flood insurance for instance, elevating buildings above the community’s established base flood elevation will typically result in significantly lower flood insurance premiums for the building.
Differentiated premiums that correspond to the quality of the insured’s information security infrastructure do exist to some degree in the cyber insurance market, but are not standard, resulting in an inefficient marketplace. The difficulty with applying a differentiated premium model to the field of cyber insurance is that it can be difficult to assess what the actual cyber-risks are for a given company. There is often an information asymmetry between insurer and insured because the insurer typically does not have the resources to monitor an insured’s actions related to cyber security that may affect risks for which the insurer is liable. This can include “vital information regarding applications, software products installed by internet users and security maintenance habits, which correlate to the risk types of users.”
Adequately pricing premiums also requires a thorough understanding of cyber incident loss data, which is generally lacking because companies are often reluctant to make public their experiences with cyber security breaches. Many times the companies themselves are not even aware of breaches in their systems. As a result, it is difficult for insurers to know the actual frequency and extent of cyber-breaches that have taken place among potential insurance purchasers. This lack of information concerning cyber-threats makes it even more difficult for an insurer to assess the strength of a company’s cyber security infrastructure and offer correspondingly priced premiums.
More broadly, cyber-threats remain a relatively new phenomenon that is always changing. Even with reliable information sharing, insurers wouldn’t have all that much data to use in evaluating cyber-risks compared to something like floods, which have been happening for considerably longer. Moreover, even the data that insurers do have could become obsolete overnight. The state of cybercrime is constantly in flux as new technologies are rapidly developing and hackers are becoming more sophisticated.
With time more data is likely to become available for insurers to assess cyber-risk more accurately and we may see differentiated premiums become standard in the near future. Already technologies are being developed to help insurers become more informed about cyber risks. Yet, it remains important to be careful while navigating the cyber security insurance market and proceed with the most up-to-date information as possible.
In the next installment of the article I will provide an overview of important threat actors and tools to be aware of while in the process of obtaining a cyber security insurance policy.
*republished blog series from Legal Solutions Blog
Managing Director, Product Leader, Cyber Insurance - Professional Services Practice
9 年Very interesting article and well-made points. I would offer the following thoughts/comments on the issues raised: 1. Evidence suggests (Ponemon findings) that buyers of Cyber insurance take risk management more seriously and invest more in security than those that don't. The "moral hazard" argument is often raised but I have not seen or heard much, if any, evidence of it in practice - my experience matches the Ponemon findings that buyers of cyber insurance tend to be more cautious and risk-averse. 2. Cyber insurance pricing has reduced dramatically in the last 4 years - unless you are a retailer or healthcare organisation. And "expensive" is a very difficult concept to define as many corporations have discovered that not buying cyber insurance (or buying cheap cyber insurance) was very expensive indeed! A $1m policy for most <$500m revenue companies is going to be <$15,000 (very possibly below $10k) - IBM pegs the average consolidated cost of a data breach at $3.8 million. 3. Cyber insurance is still a very new discipline and as you point out, there is not enough claims data for insurers to model losses with any statistically valid confidence level; but insurers are offering very real and very broad coverage at realistic pricing given the scale and uncertainty of the risk. The "loss leader" approach has not served insurers well in the past and enough insurers have been very badly burned on cyber insurance that it is unlikely to be a strategy that (m)any will embrace, especially when you consider that insurance rates in general are at historic lows (insurance, as measured by Gross Written Premium as a % of GDP is currently cheaper than at any time in the last 50+ years). 4. Few corporations use the same budget for insurance and IT so it is rare for them to compete or have to compromise one against the other. It is nonetheless true that companies should assess both IT security and insurance as elements of a risk mitigation strategy to find an efficient deployment of available capital. Remember that insurance is there to help when all else has failed - and at some point all else WILL fail, so having insurance (the cheapest form of contingent capital available) can be the difference between survival and going under. 5. The real problem for buyers is that the cyber insurance policies are extremely complex and difficult to understand, even for insurance experts. It is therefore essential to work with someone with real expertise in cyber coverage, and preferably one with a deep understanding of the client's business and exposures.