Many people and organizations think cybersecurity insurance can improve the cyberdefense status quo for the public and private sectors. But is that really the case?
Just hours after the terrorist bombs went off in Brussels on March 22, the U.S. House Homeland Security Cybersecurity Subcommittee held a hearing to explore the market-based incentives that cyberinsurance can potentially bring to managing online risks and promoting wider adoption of cybersecurity industry best practices.
After a moment of silence to remember the victims of the terrorist attacks, Subcommittee Chair Rep. John Ratcliffe echoed what everyone in the room must have been thinking: “Attacks like these really cement the need for this committee to move forward with urgency on all fronts to try and prevent and protect Americans from attacks like these here in the United States.”
Indeed, the cybersecurity stakes have never been higher. At the same time, widespread adoption of lasting solutions to safeguard data and protect critical infrastructure from cyberattacks seems more elusive than ever. And so the same question now rings: Can cybersecurity insurance improve the cyberdefense status quo for the public and private sectors?
Many people and organizations think the answer is yes, including the U.S. Department of Homeland Security (DHS). Beyond giving organizations a safety net, the DHS is hoping cyberinsurance can act as an incentive for having a better security posture, which can be done by offering more coverage and lower premiums to organizations that follow best practices and maintain strong cybersecurity.
While much has been written over the past few years about the pros and cons of buying cybersecurity insurance, one missing element continues to be reliable actuarial data regarding data breaches and other cyberincidents. We know much more about the likelihood of car accidents (and how to price liability and measure risk) than we do about the likelihood and ramifications of various data breaches. When you add in technology changes, network complexities and the evolving cyberthreat landscape, the actuarial challenges become even more daunting.
What is needed, say most experts, is prioritized data that can be shared into a repository to promote new kinds of cyber-risk analysis. Enter the Cyber Incident Data and Analysis Working Group (CIDAWG), which was formed by the DHS to develop key findings and conclusions about usable propositions for cyberinsurance and meaningful data sharing on incidents.
The goals set for CIDAWG include building: the value proposition of a cyberincident data repository; cyberincident data points that should be shared into a repository to support needed analysis; methods to incentivize such sharing on a voluntary basis; and a potential repository’s structure and functions. After receiving public input on related questions this spring, the group plans to finalize its deliverables later this year.
According to TechTarget.com, the cyberinsurance market generated $2.5 billion to $3 billion in revenue in 2015. PricewaterhouseCoopers believes those numbers will move to between $7 billion and $8 billion by 2020.
Nevertheless, “only 2 percent of companies in the U.S. have cyberinsurance,” said Julian Waits, president and CEO of PivotPoint Risk Analytics. “The biggest problem is quantifying the risk — it’s not linear, actuarial information is immature, and therefore insurance companies are grappling with ‘how do we price this risk?’ and … what and how much they need to buy, and what they’re actually getting in return.”
The big question is whether this DHS committee work, along with other industry efforts by insurance underwriters to better measure cyber-risk, can move the needle in meaningful ways regarding cyberinsurance in the coming decade.
In January, the Morris, Ill., City Council bought a $2 million cybersecurity policy at an annual cost of $7,183. Could the city have used that money to better protect its data from cyberattacks or to train its staff to avoid a data breach in the first place? There remain contrasting views on this question.
Nevertheless, buying cybersecurity insurance is a growing trend in the private sector and with more local and state governments. In addition, the majority of new technology contracts in government require vendors to carry cybersecurity insurance policies.
Five years ago, I opposed buying cybersecurity insurance in Michigan’s state government due to the immature market and unanswered questions. My current view is that cyberinsurance has improved and will continue to grow, becoming an important component of cybersecurity strategies in the public and private sectors.