The rise in the cost of cyber breaches and the increase in reported incidents are driving greater demand for cybersecurity insurance, as is the growing number of cyber-related exclusions being put into Directors and Officers (D&O) liability insurance and Professional Indemnity (PI) insurance. This is against a backdrop of increasingly strong regulation and legislation such as the European General Data Protection Regulation (GDPR) and the forthcoming Network and Information Security Directive (NISD), each designed to drive organizations to take cybersecurity more seriously.
And, of course, our world is becoming increasingly digital in nature, with all kinds of services—from finance to health, energy and tax affairs—becoming digitally delivered.
Cyber insurance can be obtained to cover such costs as crisis management, media management, incident management, technical remediation, legal fees, call management, data subject notification, breach investigation and many other losses resulting from a cyber-attack.
As the cyber liability market grows, the insurance industry may also play an increasingly important role in driving change in the cybersecurity landscape. As insurers help to quantify the impact of a cyber breach—something that most organizations historically have been loath to reveal—their ability to understand the potentially large financial impact will increase and, therefore, justify raising their cyber games.
As the insured become more cyber-savvy, their risks will change and insurers will have to adapt to create products that differentiate between low-risk and high-risk customers. This virtuous circle will create opportunity in the insurance markets while driving significant change in the world of cybersecurity.
The unique challenges of cyber risk
Reducing cyber liability (and premiums) will require businesses to have effective mechanisms for monitoring and evaluating cyber risk on a continuous basis. Yet cyber risk can have many dimensions, including data loss, business interruption, theft of intellectual property, reputational damage and many other factors. Cyber risk also is driven by human actors who continually evolve their methods of attack and the ways they extract money from victims.
Additionally, the cyber risk profile of each business often is dependent upon its industry, its size and the nature of stored data. This creates significant challenges when it comes to modeling cyber risk and evaluating the potential impact of a breach.
Part of the challenge is that cyber risk is unlike any other risk that insurers and reinsurers have ever had to underwrite. There is limited available data on the scale and financial impact of attacks. Where such data exists, often it is not shared. The drivers for risk are not properly understood either and some are inherently unpredictable. Imagine your CEO says something ill-advised in the media and a hacktivist group decides to make an example of the company by bringing down its systems. Such things can happen and are difficult to model.
While underwriters can estimate the likely cost of systems remediation, there simply is not enough historical data to evaluate potential losses resulting from costs such as compensation to customers, suppliers or partners. Some areas of impact, such as reputational damage, remain very real but largely unquantifiable.
As a result, many insurance providers are hesitant to embrace cyber insurance because of the potential risk to their business. Other insurers are accepting the risks and aggressively entering the market to become dominant. As this market matures, the industry will have to tackle this challenge by establishing more effective mechanisms for monitoring and assessing cyber risk and learning to design cyber insurance products that provide value to customers without representing undue risk to insurers.
Establishing standards, defining controls
In this complex threat environment, insurance providers need to work closely with security experts to assess relevant risk factors and position cyber risk policies more effectively. A simple way to reduce risk for the underwriter is to ensure new customers provide evidence that they have prepared and protected their organizations from cyber threats. As the market matures, we can expect minimum standards to emerge that show that the insured organizations represent acceptable risks. Whether they use existing standards or new insurance-related baselines emerge has yet to be seen.
As cyber insurance becomes commonplace, many insurance providers may decide that they require expert assessment before a major cyber insurance policy is issued. This trend is likely to drive significant changes in cyber insurance distribution models. As a result, independent cyber experts will effectively become resellers of cyber insurance, driving closer collaboration between the two industries and boosting information sharing among cybersecurity and insurance professionals. This probably will be true at the large risk end of the market. For smaller organizations, it is likely they will just have to show adherence to specific industry security standards—the equivalent of having a driving license before you can insure a car.
Ultimately, cyber insurance could become a major catalyst for change, driving awareness of cyber risk and a deeper understanding of threats and preventative measures at the board and leadership levels. This awareness will help enforce better cybersecurity practices across organizations and, if nothing else, raise awareness of security issues across leadership from exposure to cyber insurance premiums and insured cyber risk values.
A similar article first appeared in Insurance Day.