The State of Cyber Insurance

All this year I’ve been researching the burgeoning cyber insurance market. Admittedly, this is a bit of a detour from covering endpoint security, network security, and security analytics, but cyber insurance is becoming an increasingly important puzzle piece in any organization’s risk mitigation strategy, so it’s worth paying attention to. 

Given all of the highly visible data breaches over the past few years, it shouldn’t be surprising that cyber insurance is on fire. Between 30% and 40% of companies have some type of cyber insurance today, and the market is growing at 35% or more on an annual basis. It is estimated that the U.S. market for cyber insurance is around $2.5 billion today with about 50 insurance companies competing for business. PWC estimates that this market will grow to over $7.5 billion by 2020.

So there is a lot of activity in cyber insurance today, but it’s pretty clear that the cyber insurance market is in its infancy and thus extremely immature. Here are a few things I’ve learned:

1. IP is off limits. Since it’s difficult to quantify the value of intellectual property (IP), the insurance companies are steering clear. Corporate boards must recognize this fact and make sure they are adequately protecting source code, blue prints, product designs, etc. 
2. The cyber insurance market is a land grab. With an increasing number of insurance companies jumping into the market, brokers are writing policies as quickly as they can. Caveat Emptor: This can result in a lot of sloppiness on the demand and supply side. 
3. Market pricing rules. In spite of increasing competition, cyber insurance policies carry high premiums, and this isn’t likely to change anytime soon. Why? Insurance companies tend to base policy rates of about 7 years of actuarial data. Not only is this data unavailable, but cyber attacks and data breaches change constantly so past events are not the best indicator of future risk. As a consequence, rates will remain high for years to come and likely increase as data breaches continue.
4. Risk assessment is done the old-fashioned way. In spite of all types security intelligence and analytics, insurance underwriters continue to anchor cyber-insurance policies with basic point-in-time risk assessments. Why aren’t they using GRC data or penetration testing? Insurance companies are quick to point out that they are not techies, nor do they have the resources to adjust policies based upon real-time data feeds. This means that insurance companies will hedge their bets with extremely high premiums.
5. Cyber insurance could drive standardization around the NIST Cybersecurity Framework (CFS). Insurance is all about statistical analysis of standard data to quantify risk, but this type of data tends to be nonexistent in cybersecurity. This is why insurance companies and other industry leaders are pushing hard to make the NIST CFS more pervasive. Companies like AIG, Apple, and Visa are already onboard. The NIST CSF opens the door for the insurance industry to capture, measure, and share risk metrics, which could go a long way toward policy underwriting and consistent premiums.
6. Don’t count on security vendors playing any role in cyber insurance. Sensing a new opportunity, security technology vendors are lining up to partner with cyber insurance vendors. The thesis here is that using some type of technology or tool (i.e. advanced malware prevention/detection, user behavioral analysis (UBA), etc.) can decrease the attack surface, improve incident response, mitigate risk, and thus lead to lower cyber insurance premiums. Sounds good, but the insurance companies I spoke with aren’t buying it. As one cyber insurance executive told me, “Just because a company deploys security technologies doesn’t mean they know how to use them. We have to assume the worst case for now.” In my humble opinion, managed security service providers (MSSPs) like BT, Dell SecureWorks, HP, IBM, Unisys, and Symantec are in a better position to participate in this type of risk sharing program than product vendors.
7. Expect more litigation in the short-term. Cyber insurance companies understand that they may have to shell out money in the event of a data breach, but this process won’t be automatic. Insurance companies do their own due diligence on data breaches and will increasingly push back if they uncover shoddy cybersecurity practices at insured companies. As an example, insurance company CNA denied the insurance claim of Cottage Health System when it was revealed that the company didn’t encrypt patient records – a cybersecurity best practice. Lawyers are going to have a field day around data breach and insurance litigation in 2016 and beyond. 
8. And “safe driver” programs in the long-term. As the industry matures, analyzes more data, and gets a better handle on risk metrics, leading providers will copy “safe driver” programs, offering incentives to policy holders that demonstrate consistent best practices and cybersecurity acumen. This will take a few years to get going. 

It’s already clear that more and more business executives and corporate directors are opting to transfer IT risk to cyber insurance companies. While the insurance executives I’ve spoken with are happy about this development, they are also circumspect about problems associated with general market immaturity. Experts recommend that companies go into cyber insurance with eyes wide open by assessing their existing insurance coverage, conducting comprehensive risk assessments, adopting the NIST CSF, embracing strong cybersecurity controls, and establishing formal incident response processes.