If data is the new oil, then we're looking at pelicans soaked in crude on a beach.
When an oil tanker goes down or an oil rig explodes, dumping millions of gallons of petroleum into the ocean, we clean up the spill, we look for first causes, and we hold the company — even individuals — responsible for the harm they've caused to a shared resource: the environment we all live in.
When a company like Equifax commits gross negligence for failing to secure our data, and a breach pumps 147.9 million records onto the internet, the company's directors keep their jobs, their cyber insurance policy pays out, and the company posts a profit.
The Equifax breach harmed pretty much every adult in the U.S., and the company has yet to face any real consequences for its incompetence. Is this the future of cyber risk insurance — commit gross negligence and get away with it?
Maybe. Maybe not. CSO talked to more than a dozen cyber insurance experts and reviewed hundreds of pages of documents on the current state of the cyber insurance market. Here's what we found.
The moral hazard of cyber risk insurance
"Moral hazard" is the term insurance wonks use to discuss the misplaced incentives that insurance can create. It's not a new problem; it has been a part of insurance underwriting since the days of sail. Just as car insurance might encourage bad driving, or fire insurance might encourage people not to install smoke detectors, cyber insurance might encourage incompetent security practices. Why bother doing the right thing if insurance is going to pay you to do the wrong thing?
The time-tested strategy by insurance carriers to limit moral hazard is to use insurance deductibles and co-pays, and to cap maximum payouts. That way the insured shares in the financial risk and is motivated to drive safely, to install smoke detectors, and to deploy strong cybersecurity controls in their enterprise.
The moral hazard of cyber insurance haunts boardrooms. The market remains in its infancy, and insurance carriers are still grappling with how to deal with this problem. Non-technical C-suite executives looking to manage cyber risk can and do fall into this trap. If you're paying for insurance, why bother applying strong cybersecurity controls? It's cheaper and easier to just hang out for the insurance payout and not bother doing the hard work of improving your security posture.
"The inevitable tension for firms," a Rand Corporation study of cyber insurance policies concluded, "is whether to invest in ex ante security controls in order to reduce the probability of loss, or to transfer the risk (cost) to an insurer."
That might be a conversation between just the company and their insurance carrier if breaches affected only shareholders. For example, insurance began in the age of sail, when sending ships on long international voyages was risky. Ships sank, pirates attacked, storms happened, etc. If a ship carrying spices from India goes down, the only people harmed are the shareholders (and the sailors, of course, the usual footnotes to history). If Equifax gets breached, the harm affects all of society.
Because of the moral hazard it creates, cyber insurance might be uniquely unfit to deal with these massive third-party harms to society at large. However, absent regulation, or even a government willing to regulate, cyber insurance might still be the best hope for improving cybersecurity practices across the board — at least for now.
The Wild West of cyber insurance
Cyber insurance has been around, in one form or another, for the last 20 years, since the dot-com bubble burst in the late 1990s, and has grown dramatically since then, Christian Stanley of Lloyd's of London tells CSO. "Lloyd's has about a third of the global market share," Stanley says. "Year on year it's dramatically increased compared to other lines of business."
Most cyber insurance policies continue to be written for U.S. companies, although that's beginning to change. Market demands for different kinds of cyber insurance are also in flux, driven both by legislation as well as emerging technical risks. Companies looking to buy cyber insurance can purchase either standalone policies or extend existing policies to include cyber risks.
"Initially in 2003 with the laws that came into effect in California, there was a privacy breach focus," Stanley says. "In the last couple of years, business interruption has become the bigger driver of buyers coming to the market."
Cyber insurance policies can be complex and tricky to understand, and anxious C-suite executives are buying cyber insurance often without understanding the full extent of what policies cover and what they don't. To grow the market and diversify the risk, insurance companies are taking on all comers, often with no adequate measure of the true risk any given insured enterprise faces.
Both insurance carriers and enterprise buyers of cyber insurance are groping their way forward in the dark, a potentially dangerous scenario. Most insurance carriers, however, are aware of this blind spot, and researching how to better measure and quantify cyber risk.
Measuring cyber risk is very different than in other domains. If you want to rate the risk of an earthquake or a hurricane, the actuarial science is sound. A data center in a hundred-year flood plain can expect a catastrophic flood once in a hundred years. Cyber risk, on the other hand, remains far harder to quantify — a problem, it must be noted, the insurance business is working hard to solve.
Measuring cyber risk
Measuring cyber risk is an unsolved problem. How can insurance carriers effectively measure cyber risk? How can they price policies in a way that's fair? How can companies acting in good faith shop for, and purchase, the best cyber risk policy that's right for them? What does a policy cover, and — importantly — what does it not? How can insurance companies leverage premiums to encourage strong security practices, and prevent the moral hazard?
These remain unanswered questions across the industry. Many smart people are working hard to answer them, though. For now, underwriting cyber risk remains more art than science, and until recently has been based exclusively on questionnaires.
A company applying for cyber risk insurance typically fills out a questionnaire, part legal disclosure, part opportunity for self-audit, with a tiny bit of actuarial science thrown in. "If you go out and shop for breach insurance, the insurer is going to send you a questionnaire," Doug Clare, vice president of product management at FICO, says. "Is there a CISO at your company? What kind of data do you have? How many records? Are you storing credit card information? Do you have a disaster recovery plan? Do you encrypt data?"
Because many cyber risk insurance policies are so-called "admitted" policies, meaning they are registered with state insurance commissioners in the U.S. to receive some protection in case of bankruptcy, those questionnaires are public documents. (Some cyber risk insurance policies are non-admitted and are thus less regulated and more opaque in their workings.) For example, the state of Pennsylvania publishes all insurance policies admitted in that state.
Chubb
Chubb
Chubb
Questions from a Chubb cyber insurance questionnaire
Researchers at the Rand Corporation examined more than 180 cyber insurance policies in 2017, including questionnaires used by admitted carriers in New York, California and Pennsylvania. Sasha Romanosky, one of the Rand researchers, explains to CSO how this questionnaire-based underwriting works.
"[Insurance carriers] would start off with a base premium from a lookup table," he says, "and then say, 'if you're in the retail industry we're going to modify that by 1.2 or something, then a battery of questions: Is there any third-party outsourcing? Then multiply that premium by a question on laptop policy' ... the result is a linear product of a bunch of those numbers."
"Some of the policies don't even ask any security information at all," he adds. "They assess your premium based on industry and size. Others go so far as to modify that base premium by different characteristics of the firm."
This subjective method of measuring cyber risk concerns many in the industry, however, and insurance carriers are struggling to quantify cyber risk to put their underwriting on a more sound actuarial footing.