• United States




Cyber insurance forum

May 30, 20174 mins

How the dynamics of "cyber risk perception" are actually flawed.

tablet with skull and crossbones cybersecurity
Credit: Thinkstock

The insurance sector has been underwriting cyber risk for about two decades and up until recently, it does not appear that most businesses have given much thought about how to offset cyber risk with a financial instrument like an insurance policy.  When we combine this factor with a categorical misunderstanding about cyber risk, we have the ingredients for the perfect storm.

If you have seen the movie “Moneyball”, there is a great scene where Jonah Hill’s character (a statistician) is educating Brad Pitt’s character (GM for the Oakland A’s) on what a ball club’s goal should be. To paraphrase, “Baseball thinking is medieval. Your goal shouldn’t be to buy players.Your goal should be to buy runs.” 

In mitigating cyber threats, your goal shouldn’t be to buy technology. Your goal should be to lower your cyber risk profile that ultimately improves your bottom line.

The reason I bring this up is you will see a continued theme in a lot of my posts that will suggest that merely relying on investment strategies in cybersecurity technology alone is a no win scenario. Like Captain Kirk from Star Trek, I do not believe in “no win scenarios”.

More money is spent on cybersecurity today than ever before and all indicators look to support that it will continue to increase. Data from the Atlantic Council conveys this increase. In less than a decade, we have seen greater than a 200% increase in the level of spending in the United States. 

Conversely, we see a continued increase in the number of successful breaches with a more refined focus that yields the greatest financial impact (positive for the aggressor and negative impact on corporate bottom lines).  In short, business owners are not improving their level of cyber risk in proportion to their level of spending.

In a recent OECD Report for the G7 Presidency during their May 11-13event this year, the following narrative was included, “Most governments have adopted national cybersecurity or digital security strategies. However, while these strategies aim at improving awareness about cyber risk, they do not always address cybersecurity as an economic and social risk management issue.”  For today’s blog, I will focus on the economics of cybersecurity and how insurance plays into this.  For years I have heard industry experts say, “You cannot show a Return on Investment (ROI) for cybersecurity.”. 

When we look at the Potential Losses column on page 4 of the report, there are 21 types of losses that are consistent with the types of items a cyber-policy may cover.  Utilizing a financial instrument like an insurance policy is critical to offset significant financial losses. Having said that, there are unique challenges in the underwriting of cyber.  There are approximately 63 companies offering policies to cover cyber events with the majority of policies being underwritten by just six firms (AIG, Hartford, Chubb, Zurich, ACE, and Beazley). 

These policies are generally written against data collected from questionnaires that reportedly (from those in cyber that complete them) offer little relevance in determining an actual cyber risk profile. Some questions include, “Do you have a firewall – Yes/No”.  Or the carrier will want to know your annual corporate revenues as there is a belief that the higher your revenues, the higher your risk of a claim.  So let’s examine this brief snapshot of the insurance review process.

1. Do you have a firewall – Yes/No

Not to be glib but if you answer “yes”, is it plugged in? Who configured it and what was that person’s qualifications? Is it monitored and if so by whom and how often?

2. Annual Revenues

Multiple sources highlight that greater than 60% of cyber insurance claims arose from small business owners. This appears to contradict the theory of the higher the revenues, the more likely a claim will be filed.

The full OECD report. OECD

While I will not go so far as to say underwriting of cyber risk is “medieval” (to steal the Moneyball quote), there is a definite opportunity to improve based on the legacy nature of questions used in determining premiums, coverage, deductibles, and exclusions.

In the end, if you do not have insurance coverage to address the traditional ranges of cyber incidents, your total cost of ownership goes up.  For those “experts” that advise you cannot show an ROI for cyber, my response is, “it is not relevant”. If I can show an option to lower your total cost of ownership and thereby improve your bottom line, that is an “economic” decision. This decision helps us move away from the no-win scenarios we are exposed to every day as it applies to gaining cybersecurity support and buy in from business owners.


Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law. He is a cybersecurity subject matter expert supporting government and commercial markets to better define how to evaluate a risk profile and defining criteria for brokers and carriers to utilize in their determination on coverage and premium analysis.

HEMISPHERE is working with insurance stakeholders to define appropriate standards and training of brokers and agents in determining coverage requirements, scheduled for release later in 2017. HEMISPHERE is also working with the National Association of Insurance Commissioner’s Cyber Task Force.

Mr. Schoenberg’s expertise has been featured at many events and his background and knowledge in the Latin American markets, specifically in Panama’, has provided him with a unique and detailed view of this market segment.

Mr. Schoenberg is responsible for designing practical solutions to address cyber risk management using his proprietary cost-benefit analysis enabling system owners to make mission and cost justified decisions on cyber risk. Starting his career in law enforcement as a homicide detective, his work products have been actively used by DHS, the ISAC communities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. His expertise is profiled at conferences including ISC2, SecureWorld Expo, ISSA and InfosecWorld.

The opinions expressed in this blog are those of Carter Schoenberg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.