Experts have been predicting for decades that the insurance industry would eventually help drive better private sector cybersecurity practices by pricing premiums based on cybersecurity risk.
The idea is similar to the way insurance carriers encouraged businesses to adopt fire suppression technology and consumers to buy automobiles with safety features such as seatbelts and airbags.
Unfortunately, the cybersecurity insurance market is growing more slowly than many would like and is unable to adequately provide the market incentives for better security hygiene that some envisioned. An article published last year in the IEEE Security & Privacy Journal concluded:
“Cyber insurance appears to be a weak form of governance at present. Insurers writing cyber insurance focus more on organizational procedures than technical controls, rarely include basic security procedures in contracts, and offer discounts that only offer a marginal incentive to invest in security.”
Critical infrastructure security: A warning from tomorrow
There is a lot to digest in the report, but one of the more interesting themes is the recognition that the cyber insurance market is not maturing fast enough to adequately drive better risk management decisions in the private sector.
This opinion is shared by many U.S. government policymakers and is highlighted in a more recent report produced by the bipartisan Cyberspace Solarium Commission. The commission released a comprehensive report on the state of cybersecurity in IT and OT systems in March 2020.
The commission was established by the 2019 National Defense Authorization Act, and its members include cyber experts, private sector representatives, members of Congress, and senior government officials. The report, titled A Warning from Tomorrow, makes more than 75 recommendations for improving U.S. cybersecurity and infrastructure resilience.
The authors are clear in their concern regarding the vulnerability of U.S. critical infrastructure and note that a major cyber-attack on that infrastructure would “create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.”
There is a lot to digest in the report, but one of the more interesting themes is the recognition that the cyber insurance market is not maturing fast enough to adequately drive better risk management decisions in the private sector. The report notes:
“A robust and functioning market for insurance products can have the same positive effect on the risk management behavior of firms as do regulatory interventions. Although the insurance industry plays an important role in enabling organizations to transfer a small portion of their cyber risk, it is falling short of achieving the public policy objective of driving better practices of risk management in the private sector more generally. The reasons for this failure are varied but largely come down to an inability on the part of the insurance industry to comprehensively understand and price risk…”
The report goes on to state: “For insurance to act as a de facto regulator of organizational behavior, the market for insurance must accurately price risk. Premiums and limits on insurance products must also drive firms that have bought insurance to invest in improving their cyber risk posture.”
The attractiveness of leveraging insurance carriers to regulate “organizational behavior” is a consequence of the fact that they can act economy-wide and take the place of government regulatory mandates that are often cumbersome to create, update, and enforce. Unfortunately, according to the report, currently, there is little incentive to drive customers to better manage their risk.
“Currently, the estimated worldwide value of cyber insurance premiums sits at $7.5 billion. For context, in 2017 property and casualty insurance premiums were worth $275.5 billion in the United States alone. Because insurers can either assume their inherited cyber risk with little threat to their overall solvency or pass this risk along to reinsurers in the form of derivatives, they have little incentive to push the entities they insure to manage that risk.”
So how to fix this market disconnect? The report has several concrete recommendations.
Cyber risk modeling
The report calls for the creation of a public-private partnership on cyber risk modeling. The partnership would bring together insurance companies and cyber risk modeling companies to collaborate, share information, and develop more accurate cyber risk models.
This group would be tasked with identifying “areas of common interest so that these entities can benefit from one another’s risk modeling efforts, particularly with regard to dependency mapping and the consequences of cyber disruptions.”
To address the lack of pricing tools to improve overall cyber risk management practices in the private sector, the report recommends that the Department of Homeland Security launch a federally-funded research and development center (FFRDC) to shepherd cooperation with state regulators in developing certifications for cybersecurity insurance products and to develop training for underwriters and claims adjusters.
In the U.S., individual states often set minimum standards that insurance products must meet in order to be offered in their state. These standards are typically legislated as consumer protection laws. The report recommends that “working with state insurance regulators and the public-private working group on pricing and modeling cyber risk, the FFRDC should develop cybersecurity product certifications based on a common lexicon and security standards.”
Underwriters certifications are currently available for numerous areas of coverage, including homeowners, flood, life, and health. The report recommends that the FFRDC work with insurers, state regulators, and cybersecurity risk management experts to develop training courses for cyber insurance underwriters with the goal of creating a cyber insurance underwriter certification. Similarly, it recommends that the FFRDC should lead a similar team to develop training and certification models for cyber claims adjusters.
The report calls for the exploration of government-backed reinsurance to cover catastrophic cyber events. The federal government fills this role currently in some instances through the Treasury Department’s authority to designate cyber events that trigger the Terrorism Risk Insurance Act (TRIA) protections.
The Further Consolidated Appropriations Act, 202 directed the Government Accountability Office (GAO) to assess the current state of insurance for cyber-related incidents. The report supports that study and suggests that GAO bring in other agencies of the federal government to inform that activity.
All OT owners and operators should fully understand the degree that they are covered for cyber outages in traditional policies and cyber policies. Organizations with significant OT footprints should support the commission’s recommendations, and furthermore should consider actively collaborating on the cyber risk modeling initiative. Improving risk modeling should become a core component of industry information-sharing activities. Critical infrastructure providers are well-positioned to benefit from and contribute to a more rapid maturation of the cyber insurance markets and should work proactively to achieve this goal.