Insurers Will Drive Stronger Cyber Resilience

by | Aug 8, 2016

A recent article written by Greg Otto at Black Hat is the first indication of the industry attitude shift that we bet the formation of Cybernance on 18 months ago.

In observing cybercrime for the past several years, I’ve often wondered what precipitating event or action was going to stir companies to commit adequate resources to preventing and remediating cyber breaches. A Fedscoop article written by Greg Otto at the Black Hat Conference last week is the first indication of the industry attitude shift we bet the formation of our company on 18 months ago.

In “Let’s Declare Cyber Independence Day,” we said that a “key challenge for anyone leading the charge against cybercrime is finding a motivation strong enough to change organizational behavior, regardless of industry.” Even with the SEC threatening personal liability for corporate directors after a breach, prevailing attitudes like “it’s an IT problem” and “we can just buy more insurance” are still prevalent.

In the fedscoop article, Jeremiah Grossman of SentinelOne says, “Companies are equally as likely to buy insurance as they are to give [money] to us to prevent a hack. That’s an indictment of our industry, [that] they don’t want to give us any more money to prevent hacks. They would just rather insure the downside and be done with it.” We share his opinion that “it’s only a matter of time before information security’s masters change,” and the insurance industry will begin to impact prevailing attitudes.

“For policies to provide the right amount of coverage (and charge a worthwhile premium), insurance companies normally rely on actuarial data for fine tuning. The amount of data needed to do that doesn’t exist yet.”
– Greg Otto

Not long ago, we looked to the history of the fire insurance industry for insight. A 1905 study of the history of the fire insurance industry traced the steps that marked its evolution over 150 years, and those steps point the way for cyber insurance:

Fire Insurance StepsCyber Insurance Analog
Great Fire of London in 1666 destroyed three-fourths of the city’s structures and led to desire for fire insuranceHigh frequency of breaches and significant losses driving cyber insurance
First fire insurance company in the world in London in 1706; first in the U.S. in 1752Cyber insurance industry growing rapidly
Fire departments formed to prevent and extinguish firesEvolution of cybersecurity technology
Standards governing nature and location of buildings put in placeCybersecurity standards like the NIST Framework being developed
Differentiating risk for businesses based upon the class of business, e.g., a paper mill paid generally higher ratesDifferentiating by industry most common basis for setting cyber insurance rates at this point
Involvement of states in regulating fire insuranceNAIC (National Association of Insurance Commissioners) have proposing legislation)

 

Subsequent steps in fire insurance history have no analog in cyber insurance – yet! No genius is required to see what next steps will bring rationality to pricing – and it shouldn’t take 150 years this time.

 

Fire Insurance StepsNext Steps for Cyber Insurance
Mapping of risk by geographic areas became the standard.Finer-grained rate-setting based on demographics and data about internal defenses.
Insurance industry crusaded against riskier forms of constructionInsurance companies exert their influence over cyber risk to a more significant degree.
Difficulty in determining liability of the insurer led to inspections in order to prevent firesCompliance frameworks, like NIST, HIPAA, FFIEC, ISO, etc. must be applied consistently to inspect internal defenses as a way of rationalizing differential rates.
Fire preventive appliances, like sprinkler systems, supported by lower insurance ratesConsistent rate-setting based upon the level of defenses

Subscribe
Be notified of new Journal entries in your email box or Follow us on Twitter.