Insurers Will Drive Stronger Cyber Resilience
A recent article written by Greg Otto at Black Hat is the first indication of the industry attitude shift that we bet the formation of Cybernance on 18 months ago.
In observing cybercrime for the past several years, I’ve often wondered what precipitating event or action was going to stir companies to commit adequate resources to preventing and remediating cyber breaches. A Fedscoop article written by Greg Otto at the Black Hat Conference last week is the first indication of the industry attitude shift we bet the formation of our company on 18 months ago.
In “Let’s Declare Cyber Independence Day,” we said that a “key challenge for anyone leading the charge against cybercrime is finding a motivation strong enough to change organizational behavior, regardless of industry.” Even with the SEC threatening personal liability for corporate directors after a breach, prevailing attitudes like “it’s an IT problem” and “we can just buy more insurance” are still prevalent.
In the fedscoop article, Jeremiah Grossman of SentinelOne says, “Companies are equally as likely to buy insurance as they are to give [money] to us to prevent a hack. That’s an indictment of our industry, [that] they don’t want to give us any more money to prevent hacks. They would just rather insure the downside and be done with it.” We share his opinion that “it’s only a matter of time before information security’s masters change,” and the insurance industry will begin to impact prevailing attitudes.
“For policies to provide the right amount of coverage (and charge a worthwhile premium), insurance companies normally rely on actuarial data for fine tuning. The amount of data needed to do that doesn’t exist yet.”
– Greg Otto
Not long ago, we looked to the history of the fire insurance industry for insight. A 1905 study of the history of the fire insurance industry traced the steps that marked its evolution over 150 years, and those steps point the way for cyber insurance:
| Fire Insurance Steps | Cyber Insurance Analog |
|---|---|
| Great Fire of London in 1666 destroyed three-fourths of the city’s structures and led to desire for fire insurance | High frequency of breaches and significant losses driving cyber insurance |
| First fire insurance company in the world in London in 1706; first in the U.S. in 1752 | Cyber insurance industry growing rapidly |
| Fire departments formed to prevent and extinguish fires | Evolution of cybersecurity technology |
| Standards governing nature and location of buildings put in place | Cybersecurity standards like the NIST Framework being developed |
| Differentiating risk for businesses based upon the class of business, e.g., a paper mill paid generally higher rates | Differentiating by industry most common basis for setting cyber insurance rates at this point |
| Involvement of states in regulating fire insurance | NAIC (National Association of Insurance Commissioners) have proposing legislation) |
Subsequent steps in fire insurance history have no analog in cyber insurance – yet! No genius is required to see what next steps will bring rationality to pricing – and it shouldn’t take 150 years this time.
| Fire Insurance Steps | Next Steps for Cyber Insurance |
|---|---|
| Mapping of risk by geographic areas became the standard. | Finer-grained rate-setting based on demographics and data about internal defenses. |
| Insurance industry crusaded against riskier forms of construction | Insurance companies exert their influence over cyber risk to a more significant degree. |
| Difficulty in determining liability of the insurer led to inspections in order to prevent fires | Compliance frameworks, like NIST, HIPAA, FFIEC, ISO, etc. must be applied consistently to inspect internal defenses as a way of rationalizing differential rates. |
| Fire preventive appliances, like sprinkler systems, supported by lower insurance rates | Consistent rate-setting based upon the level of defenses |