Managing risk is one thing, but cyber-insurance can also help set the standard for cybersecurity across industries. Cyber-liability protection is growing fast — and there’s a lot of potential — but there are some big questions too.
“If you ask insurers right now what is the common criteria for denying a cyber-insurance policy, I don’t think anybody will be able to give a real good answer,” cyber-risk modeler Matt Honea stated Monday in Insurance Journal. “A robust market will be able to answer that.”
A robust cyber-insurance market can also be a catalyst for better — even comprehensive — cybersecurity. This is increasingly important; just look at the government entity that insures deposits in U.S. banks, the FDIC, which gets hacked as much as 54 times in two years, according to an Office of the Inspector General report last week.
And cybercrime is expensive, costing victimized organizations about $11.7 million each per year — up 62 percent from past five years ago — per an Accenture and Ponemon Institute report released last month. But cyber-insurance may already be a bigger industry than you think.
No Substitute for A Good Defense
Cyber-insurance is the most rapidly growing form of coverage among U.S. companies, The Wall Street Journal reported last month. Policies mostly protect against financial losses — some even help clients with prevention — but responsibility still rests within the targeted organization.
“Insurance shouldn’t be seen as a replacement for good cybersecurity measures,” WSJ stated. “Data breaches and cyberattacks can cause lasting damage that is difficult to recoup.”
For that, we needn’t look beyond the myriad cities suing Equifax related to a high-profile data breach earlier this year. Suits include allegations of fraud and failure to protect consumers, as Chicago Tribune coverage noted; legal action also looks to impose penalties — and even seeks restitution.
So, again, cybercrime is expensive — in a lot of ways. But as the market for cyber-liability insurance grows, insurers still face obstacles.
“Insurers need to stay creative with the coverage and pricing,” Chris Nyce of global auditor KPMG stated in PropertyCasualty360.com last month. How providers cover cyber-liability will depend on what the insured client needs.
Meanwhile organizations should seek a qualified cyber-insurance broker who can get them the right coverage, according to Nyce. They must stay current on threats and coverages, bearing in mind that there will always be cyber-risk.
Yet, despite that ever-present risk, there’s no legal requirement to report a cyberattack. This is a tremendous opportunity for cyber-insurance to encourage clients to share information about attacks, which could make us all safer.
We’re All In This Together
“When you have a robust cyber market, you have this thing called economic efficiency, where, by raising the awareness about security, you actually lead to overall improved security,” Honea stated in Insurance Journal, citing the increased use of, and eventual mandate to wear, seat belts. “There’s less deaths per car accident because people are required to wear seat belts — ultimately more people live and pay into the system.”
A big problem with not sharing information after an attack — especially in the form of quietly capitulating to a hacker’s demands — is that the victim must trust the cyber-criminal not to strike again, often through backdoors left in the wake of an attack. (Good luck with that.) Plus a discrete payment to hackers can mark you as “a preferred future target.”
So notifying authorities in the wake of a cyberattack can be very important, just like other cybersecurity basics, such as properly managing employee passwords — or the extremely retro precaution of backing up your data on tape. But there’s still more than cyber-insurance can do.
Cyber-Salvation Is In Shared Data
Trusted insurers could evaluate a client’s cybersecurity, assessing successful defenses against recent attacks, and lowering cyber-insurance premiums to incentivize good cyber-hygiene, according to Honea. Insurers can also use the data for more comprehensive attack modeling, eventually analyzing the breadth of major cyberattacks at the national level.
“If you have a mature market, and there’s a standard or some way for reporting not only attacks, but attempted attacks,” Honea said, “we’ll see that insurance can be a really good catalyst for collecting this information.”