The recent growth in the cyber insurance market is already improving cybersecurity in some industry segments, and has the potential to do more — if the industry is able to address its data problem.
One area where cyber insurance has already made an impact is in the retail space, said David White, founder and COO at Axio Global, a cyber risk company. After the 2013 Target breach, it became very difficult for retailers to get a decent price for cyber insurance unless they had completely switched over to end-to-end encryption, or had a definite plan in place for doing that.
“I spoke to a large retailer at a conference a year ago who was wringing their hands because they could not buy cyber insurance — the sort that would cover a payment card data breach,” White said. “Their problem was that they had not allocated the funding to install end-to-end encryption and were not even planning to in the foreseeable future. The risk manager told me that they had approached the insurance market annually for several years and all she could get were ‘FU quotes.’ The cyber insurance industry has been a substantial force in driving retailers to adopt end-to-end encryption.”
Next, White said, he expects insurance companies to start insisting on anti-phishing awareness programs, strong network segmentation, and network hygiene controls for industrial control systems.
“A decent analog is the presence of sprinkler systems and other fire suppression systems as a consideration for property insurance,” White said. “Organizations don’t stop buying fire insurance because they install a sprinkler system, but they do get more attractive rates.”
“Insurance companies are helping set some general standards cybersecurity,” said Mark Sangster, vice president and industry security strategist at eSentire. “And it’s not just for the point at which the policy is written, he added. Insurers are adding language to contracts that require companies to maintain a particular level of security. For example, you must do annual cybersecurity training, and if you do those things, you can have the policy and it will cost you this amount. That’s like them saying, if you’re caught doing reckless driving, your auto insurance is null and void. I think they are one of the top influences at the moment when it comes to what cybersecurity policies and procedures need to be looked at.”
Insurance companies are asking for minimum controls, agreed Jenny Soubra, head of the U.S. cyber practice at Allianz Global Corporate & Specialty. But they’re also starting to go beyond that, with more services, she said.
“Pre-loss mitigation services offered by carriers have just become table stakes,” Soubra said. “Everyone wants their clients’ risks to be improved.”
And that translates to better security, she said, as companies become more aware of their vulnerabilities and take steps to close the gaps, train their employees, and reduce response times. But there’s a limit to how much insurance companies can actually do when it comes to measuring risk, she said.
Cyber Insurance Lacks Hard Actuarial Data, Technical Experts
According to Soubra, the insurance industry is still 30 to 50 years away from having a standardized cybersecurity data set, with relevant actuarial data, that it can pull insights from.
“The threat vectors are constantly evolving,” Soubra said. “There are new ways to get into the system, new types of ransomware are constantly being created. This, in turn, has the coverage that we’re offering constantly evolving. So we’re collecting new types of data that we weren’t collecting in the past. It doesn’t help that it’s difficult for insurance companies to share data. We need a way to standardize the data, share it, and repackage it in a way that would be useful.”
For example, insurance companies are often bound by non-disclosure agreements, and there’s no central body that collects cyber information — like, for the example, the Federal Aviation Administration does for airplane accidents and the National Highway Traffic Safety Administration does for driving.
“We need a way to standardize the data, share it, and repackage it in a way that would be useful,” Soubra said.
Instead, what happens is that insurance companies mostly sell coverage for loss of personally identifiable information and to cover the costs of business interruption due to cyber attacks, said Adam Thomas, principal at Deloitte Cyber Risk Services. The way it works is that companies looking to buy insurance fill out a questionnaire, then their insurance broker sets them up on a conference call with half a dozen carriers.
“It’s a high-level assessment — there’s not a lot of substantiation going on,” Thomas said.
And on the call itself, the carriers tend not to ask probing questions — they don’t want to give away their trade secrets to their competition, and they don’t want the client to think they’re hard to do business with.
“So that’s about as much due diligence as insurance companies do,” Thomas said. “And more recently, some of those calls have gone away because it was too much pressure on the customer.”
The cyber insurance industry doesn’t have anywhere near the kind of deep expertise as, say, property and causality, life insurance, or automotive.
“You’d think they’d take their actuarial knowledge, analytical knowledge and amass a ton of information about the claims they paid out, what the underlying causes were, so they can improve their policies,” Thomas said. “And the reality is, they haven’t.”
Instead, the industry is struggling with a dramatic shortage of personnel and a problem with getting good actuarial data.
“Most people writing cyber insurance don’t have technical backgrounds,” Thomas said. “They come from writing some other type of property and casualty insurance. They need to hire better people — and collect more data.”
And the data is another problem. In cyber insurance, the risks change more quickly than in any other type of insurance. Cars don’t — yet, at least — deliberately try to find new ways to kill their drivers. Tornadoes don’t deliberately aim for trailers parks. But cyber criminals actively look for news ways around security controls, and when they find something that works not only does the news spread quickly to all the other criminals, but through the use of automation, botnets, crimeware-as-a-service and other tools the criminals can launch fast, massive attacks against, well, everybody.
Take ransomware, for example. SonicWall saw the number of attacks go from just 3 million attacks in 2014 to 638 million last year. That added up to $1 billion in profits for the ransomware industry. As a result, there are very few hard criteria for insurance companies to use when pricing policies. “It’s largely qualitative, not quantitative,” said Thomas.
They can look at the total amount of data at risk, and cost of responding to breaches and outages. Insurance companies also look at compliance — does the customer meet PCI or HIPAA requirements, or the new financial services regulations in New York State? And these kinds of guidelines don’t help much when the threats come out of the blue.
“Last year, our industry saw a large-scale cyber incident that never occurred before,” said Mike Donaldson, solutions specialist at Bay Dynamics. “We had a DDoS attack executed successfully across millions of endpoints that took down some major retailers.”
The number of vulnerable endpoints is increasing, he added, and now includes cars and medical devices and cameras. That means that an insurance company may be dealing with tens of thousands to millions of endpoints. “That makes it very challenging to assess risks,” he said.
Plus, many companies use third-party services — such as the cloud services providers hit by the recent DDoS attack. In some ways that creates the possibility of wide-ranging, catastrophic risks. But in other ways, using third-party services can improve a company’s risk profile, if the vendor is doing a particularly good job in security. So, for example, a car owner might pay a lower insurance premium if they buy a safer car.
“The cyber insurance industry has not leveraged the same telemetry to make the same kind of decisions,” said Rajiv Gupta, CEO at Skyhigh Networks. “Part of it is that the cyber insurance industry is much younger than the auto insurance or home insurance industry. And, in many cases, the industry is still not even aware that there is a way to objectively determine, or as objectively as possible, what is the security posture of a company.”
One issue is that, traditionally, the insurance industry has been backward-looking, said Steve Durbin, managing director at London-based Information Security Forum. But in technology, a focus on the past isn’t particularly helpful when everything changes so quickly.
“The challenge for insurance companies is more of a cultural or mind shift change that we have to embrace,” Durbin said. “Insurance companies will have to look at predictive analytics until we reach the point where they can combine them with actuarial data. Until then, i think it will be quite challenging for them.”
When there’s a lack of hard data or strict compliance requirements, getting cyber insurance may be difficult or almost impossible.
According to the Information Security Forum, there is currently little or no insurance available for catastrophic risks such as critical infrastructure failure or state-sponsored attacks, operational mistakes, reputation damage, industrial espionage, and loss of intellectual property or trade secrets.
According to the Ponemon survey, inadequate coverage was a major reason not to purchase cyber insurance for 36 percent of companies, tying for first place with the high price of premiums. And too many exclusions, restrictions and uninsurable risks were cited by 27 percent of respondents. And if a company does get coverage, it may be difficult to get a payout.
“The onus is on the company to prove that their controls were adequate but they still got breached and the insurance company should pay up,” said Javvad Malik, security advocate at AlienVault. “It’s never an easy process. It doesn’t help sometimes that breaches don’t get discovered for months or years. It’s kind of like health insurance. Are you covered for existing conditions? This is where it really gets messy.”
The Problem Of Low-Value Policies
One of the reasons that insurance companies might not be doing as much research and analysis as they could, and requiring serious risk assessments on the part of their customers, is that the dollar values of the policies are still relatively low.
“They’re not risking a lot,” said Itzik Kotler, CTO and co-founder at SafeBreach, an automated penetration testing company. “As the industry grows, then they will revert into more means of measuring the risk.”
SafeBreach has insurance companies as customers, he said, but for internal security testing — not as a risk control for their clients.
“As the industry grows, and companies want to purchase bigger policies, with more money, then the question of how insurance companies will mitigate their risk will be more relevant,” Kotler said.
The global cyber insurance market is now over $3.25 billion, and is expected to reach $20 billion by 2020. The entire US insurance market is more than $500 billion, so that might not seem like much at first. But it’s a significant change for the industry.
“Insurance companies are extremely excited about the product because it’s probably the first new insurance product that they’ve been able to take it to the market in the last 80 to 90 years,” said Deloitte’s Thomas. “So there’s a lot of emotional excitement about it.”
And there’s a lot of room for growth.
According to recent research from the Ponemon Institute, the average company only has 15 percent of their information assets covered by insurance — compared to 59 percent for property, plant and equipment. That’s despite the fact that the average potential loss for the information assets is greater — $979 million, compared to $770 million.
Today, there is only a very small number of large writers, with over $100 million in cyber insurance premiums, according to a report by Betterley Risk Consultants.
There are several insurers in the $50 million to $100 million range, several more in the $25 million to $50 million range, and numerous insurers less than $25 million, the report said.
“That’s more that 60 carriers that offer cyber insurance altogether,” said Marc Schein, risk management consultant at New York-based Marsh & McLennan Agency. “Some carriers are offering it as a standalone product, other insurance companies will offer it in a package.”