Cybersecurity Insurance: Promoting Good Hygiene for “Those that Know” and “Those That Don’t Yet Know”

Let’s not sugarcoat this: cybersecurity breaches have become a reality of every day life. Millions of people have been affected firsthand by attacks against household names – from Neiman Marcus and Home Depot to Anthem BlueCross BlueShield and Target. Many attacks are directed not just at individual companies, but at entire industries: financial institutions have been the targets of a countless number of DDoS attacks that flood their websites with traffic, and China has allegedly been conducting a calculated, extensive cyber espionage campaign against U.S. energy companies for years. To paraphrase Crowdstrike’s Dmitri Alperovich, today’s firms can be divided into two groups: those that know they’ve been hacked, and those that don’t yet know they’ve been hacked.

Alas, many companies continue to have woefully inadequate cybersecurity practices. In the FTC’s now infamous suit against Wyndham Hotels, the FTC found that Wyndham failed to use any firewall at critical network points, did not use any encryption for certain customer files, and did not require users to change their default passwords. Similarly, an internal company probe at Target following the breach of 40 million customers’ information found that once an intruder entered Target’s system, the intruder had access to everything – from the deli meat scales to the cash registers – because there were no controls limiting such access. As the frequency and severity of cyber attacks increase, companies need to know what they should be doing to decrease their risk, as well as how they can mitigate their costs if (and when) a cyber attack occurs.

Cybersecurity insurance could potentially be a way to do both, which is why the House Homeland Security Cybersecurity Subcommittee held a hearing this week to explore the market-based incentives that insurance can bring to the table when it comes to managing cyber risk. Many major insurance companies now offer some form of cyber insurance, and the market is expected to triple in size to $7.5 billion in annual premiums within the next few years. Thus far, many companies have adopted some form of cyber insurance in response to the mandatory breach notification laws currently in effect in forty-seven states ­­– insurance helps cover the costs of notifying customers, investigating breaches, and defending against lawsuits. Some policies are going even further, and offering protection for intellectual property theft and extortion.

Insurance provides incentives for companies to take a proactive, rather than reactive, approach to risk. The fire insurance industry is the perfect example, because it uses the “carrot” of lower rates to encourage people to adhere to certain fire safety standards, such as installing sprinklers, having an extinguisher nearby, and periodically checking the batteries in smoke detectors. As a whole, the insurance market depends on requiring some level of risk mitigation before covering an entity. In the cybersecurity insurance market, companies that adopt better security practices receive lower prices for their coverage. By evaluating a company’s cybersecurity defenses with a holistic approach that takes into account each company’s individual circumstances and risk levels, the underwriting process may encourage companies to include cybersecurity in their DNA, rather than haphazardly adopting the bare minimum protections and hoping for the best.

As an ancillary benefit, cyber insurance companies will receive a wealth of data in the event of a breach that will prove extremely useful to countering future attacks. This data, and the information insurance companies have about each victim’s cybersecurity practices, enables cyber insurance companies to identify which practices are effective, and weed out the ones that are not. Such insight makes us all safer, and could even help inform NIST as it updates its list of best practices in the future.

Although the prospect of cyber insurance looks promising, the nascent industry still has a long way to go. Quantifying cybersecurity risk is an incredibly difficult task that involves a lot of intangibles and actuarial data that is not yet available, so skeptics are right to point out that the evaluation of cyber risk is not yet being done effectively. In addition, because of the ongoing failure of many companies to take cybersecurity as seriously as they should, insuring against losses that may occur in the event of a breach poses a great deal of risk to the insurance companies themselves. As a result, the cost of cyber insurance is high, and the amount of damages covered is low. This makes many companies reluctant to buy cybersecurity insurance and makes many insurers reluctant to offer it to the fullest extent possible.

However, the cyber insurance market will evolve and more accurate methods of evaluating a company’s cyber risk profile will be adopted. As a result, the cybersecurity insurance market could be a superior alternative to detailed government mandates and cybersecurity “best practices” alone. Government cybersecurity mandates can stagnate, and fail to keep up with evolving threats. Worse still, companies might regard such standards as a checklist – once everything on the list is crossed off, they presume they are in good shape. On the contrary: the amount a company should invest in cybersecurity should be proportionate to the risk to which it is exposed.

If cyber insurance is combined with a public listing of baseline, voluntary security standards compiled by an expert entity such as NIST, companies will be better equipped to take an informed, tailor-made approach to cybersecurity. This risk-based approach makes as much sense in the physical world as it does in the digital world. In the physical world, the security mechanisms employed by a company based in a Virginia suburb look very different from those put in place by a company in a war zone. The same is true in the digital world – whether you are “in the know” or not.