Cyber Insurance: Triumph of the Accountants?

In-brief: Rapid advancement in the market for cyber insurance is poised to transform a cyber security market based on FUD (fear, uncertainty and doubt) to one based on hard numbers and risk. Consider yourself warned!

Back in the mid 1990s, PBS aired a documentary dubbed “Triumph of the Nerds,” which helped crystallize the dawning recognition that the technology industry was upending long-held notions about who would- and wouldn’t thrive in the economy of the 21st century. If the 50s, 60s and 70s business ideal was Don Draper: square-jawed jocks with firm handshakes and soft “people skills,” the new century would belong – roughly – to the kids that they used to enjoy stuffing in their locker: the Bill Gates, Steve Jobs and Steve Wozniak’s of the world.

It strikes me that we’re at an inflection point, where the “Triumph of the Nerds” may be giving way to the “Triumph of the Accountants.”

What am I talking about? Well, one of the topics I’ve written about quite a bit is cyber insurance – and for good reason. One of the biggest problems that companies have these days is properly understanding their risk: how likely a particular adverse event is to happen and how much it will cost when if it does.

That’s a critical question. After all: if you don’t understand the likelihood of something happening, or the cost of making your organization or customers whole afterwards, how can you know how much (or little) to invest in prevention or response.

In most other areas of our economy, the way organizations manage risk is with insurance. But, as this blog has noted before, that system breaks down around cyber risk. For one thing: online criminal groups and other sources of cyber risk are relatively new and are ever-changing. That means that insurers don’t have adequate historical data to inform actuarial tables. And even when they do start to get their arms around a problem (like data breach), the criminals have moved on.

Beyond that, reporting is very spotty. Some industries – like healthcare and finance – require disclosure of incidents that expose personal information or have a material impact. That provides glimpses into what’s going on – but only glimpses. And the result can often resemble a fun-house mirror: reporting in one industry and a lack of it in others distorts the impression we have of the landscape of malicious activity.

Consider, for example, this data incident response report from the firm Baker Hostetler, which notes that, among the industries most affected by data breaches (to whit: education, financial services, real estate, retail/hospitality, professional services, and healthcare), the healthcare represented the vast majority of incidents. However, as the report notes, that was a factor of both the federal HIPAA regulations governing the protection of patient health information and the HITECH act’s breach notification requirement, which went into effect in 2009.

Healthcare took the lion’s share of the reported incidents, but as Baker Hostetler noted, “while PHI incidents are disclosed more frequently, the severity when measured by number of affected individuals is often less (many incidents affect less than 10 people).”

In contrast, breaches in the professional services sector represented only a small slice of the total number of reported incidents, but were by far the most severe. One possible explanation is, of course, the only breaches that are publicly disclosed in that vertical are those that are large enough to warrant media attention on their own. As Baker Hostetler suggests:

“Because incidents affecting these sectors often require forensic investigation and draw more media coverage, the cost and potential financial consequences are dramatically higher on a per-incident basis.”

In other words: it may be the case that there are as many small-scale breaches in the professional services, government or retail sectors as there are in healthcare, but those incidents are never reported and are thus hidden from public view.

Enter the insurance industry. As this report from Chip Block at the Reston, Virginia firm Evolver Inc. observes: the insurance industry is already moving toward codifying cyber risks – one step in making cyber insurance a common part of the business landscape. (Chip has contributed to the Security Ledger before. Read his story on “Toppling the IoT’s Tower of Babel” here.)

Already, Block reports, insurance companies are narrowing the vast scope of the “cyber security” space into broad categories of first- and third-party cyber risk. Accountants and actuaries are working to define online risks and assign financial value to them.

As those actuarial calculations become more accurate, insurance companies will be able to accurately attach pricing (in the form of premiums and deductibles) to specific risks and mitigations. That, in turn, will take some of the FUD (fear, uncertainty and doubt) and witch-doctoring out of the cyber security space and focus investments on areas that are most likely to reduce risk. As Block notes:

“No longer will C-Level executives be faced with the ethereal concepts. They will have costs and expenditures defined in monthly premiums, deductibles and all the other elements of insurance we are all familiar with.”

In turn, technology companies and their products will align behind the technologies and processes that insurance companies endorse – just as property management firms align behind the kinds of physical safety requirements (door locks, fire suppression systems) that insurance companies have decided are effective.

Beyond that, insurance companies will be in a position to decide “cost parameters for cyber events.” Today, this kind of “cost of _x_” work is done on an ad-hoc basis by committed professionals like Larry Ponemon. But such calculations are highly variable and based on end-user surveys and lack the “teeth” that decisions about payments made by insurers will.

What will this mean for companies? At the behest of insurers, they will need to clean up their acts. Just as drivers must show proficiency behind the wheel over long periods of time, companies will need show progress along the curve of “cyber maturity” to gain access to the lowest premiums and the smallest deductibles. Block notes the work being done at places like Carnegie Mellon’s Software Engineering Institute (SEI) to teach CISOs about risk based approaches to cyber security as an example of the change of mindset that will need to occur.

Finally, its worth noting Block’s predictions on how the Internet of Things is likely to disrupt the insurance industry, including cyber insurance: raising the stakes for cyber incidents from productivity and intellectual property losses to life and limb.

“This increased risk will further involve insurance companies in the day-to-day cyber operations of everything from medical devices to home security. A cost of doing business will include protection from cyber-attacks that could cause serious harm.”