How cyber insurance actually works
Insurance industry insider tells all
A couple of weeks ago El Reg carried an article by Mark Pesce about the likely evolution of Cyber Insurance. Reg reader and insurance industry veteran Tom Whipp agreed with most of his sentiments, but wasn’t so keen on his conclusions and demanded his stint on the Reg soapbox. So, take it away Tom.
I’ve worked in security and risk for the last 15 years and within the insurance sector for almost all of the last 12 years. This can be a pretty tough gig, as most of the time people don’t really see our sector as very different from banks. When they do it’s usually because they think we’re worse because they know someone who’s had a home or motor claim go badly wrong. It’s a much more personal type of dislike.
This base opinion seems to carry over into IT professionals’ expectations of insurance, where they typically think in terms of motor insurance. It’s not a good comparison as car insurance is a mandatory purchase that is usually selected purely on price effectively as a licence to drive rather than a form of protection... and usually after a brief consultation with a Meerkat or animatronic 1970s toy robot.
Commercial insurance is really very different. Firstly, almost all commercial cover is a discretionary purchase, and secondly the vast majority is bought through a broker who has a professional responsibility (and liability) to ensure it’s suitable. The final decision on an insurance program is usually taken by a finance director, but it’s not uncommon for the overall program to be ratified by the board. In short, commercial insurance purchases are a hard-headed business decision taken at a senior level.
Having worked for a broker for five years and been involved in a number of client-facing presentations, I can promise you that while cost is a factor, the suitability of cover and quality of the claims service are given at least equal prominence. Insurers recognise that their primary product is the claims service and if you make a habit of stiffing your customers it would probably only take a year for your business to dry up.
So what does this tell us about the growth of cyber insurance? Well the products have been around longer than you might imagine, but have been getting a lot more media time in the last couple of years. Mostly this reflects an increase in the board level understanding of the potential risks they are running, although this may also reflect an increase in understanding that traditional policies don’t cover cyber events.
I’ve argued before and will again that the mere presence of cyber cover as a discussion item within an insurance program shows that boards now treat this as a real business risk rather than one that they feel obliged to talk about for PR purposes. Put it this way, hard-headed business people only spend money when they believe a risk is real and that it could hurt…a lot.
Cyber insurance is usually structured as a variant of business continuity products (called business interruption in the trade) which are designed to make an incident survivable at a business level by providing cash to soften the financial impact. This says a lot about how insurers see cyber risks. Essentially they are viewed as unpredictable disasters which could affect any firm – it’s a bit of a bleak view but insurers tend to be that way, at least before their second pint.
Given that the cover is about business survival, cyber insurance is generally sold on the basis of business size with less emphasis on individual data sets. Usually cover will provide cash to make up for shortfalls in revenue, additional costs of dealing with the incident and possibly customer liabilities (e.g. paying for credit monitoring). Insurers typically also have a panel of incident response providers which for smaller businesses this can be hugely helpful.
So why isn’t there more of this about? Unfortunately cyber risks are actually hard to cover because insurers care about four things:
- Risk selection and pricing This relies on understanding the likely claims volumes and sizes. This is difficult when the pool of previously written policies is small and the risks levels are changing rapidly (making them non-comparable) which is certainly the case. The main effect here is that insurers are writing relatively small volumes of business while they build understanding. It’s also worth understanding that for complex commercial insurance the pricing and risk selection is mostly done manually, it’s not at all like car insurance where you are rated on specific measurable factors. Commercial insurance is in many cases more about a story and feel of a risk. There is a significant shortage of good people with underwriting skills. This is also true at the broker level, and these are the people responsible for advising the end client that they should consider the product in the first place.
- Moral Hazard Or put more simply, making sure that as a customer you are still incentivised to manage your own risks rather than buying cover and letting the insurer pick up the tab. This is probably the easiest to address as commercial policies quite often come with requirements for improvements (eg, a typical manufacturer might be required to upgrade their fire suppression or do extra health and safety training courses). Word to the wise, if your board buys a cyber policy, that could become the driver for some key security projects which you’d previously found it hard to persuade your business to back.
- Claims inflation (including fraud) Unsurprisingly, the main cost to an insurer is the cost of claims so this is always an area of focus. With increasing breach disclosure and the rise in civil cases and regulatory fines this is a fast moving target. This makes it hard for insurers to understand what the likely liabilities will be in the medium term. That said these things move slowly enough to not be a problem within the average policy life.
- Aggregation and systemic risk Using a physical world example, in principle you might be happy to insure $10bn of coastal property but you clearly wouldn’t want it all in Miami. The problem for cyber products is that there is a worrying possibility that big events could be truly global and cut across all classes of organisation. As an insurer that’s frankly terrifying as they can’t be sure they’ve spread their risks against catastrophes and if they wrote a lot of cover one bad event could put them out of business. An insurer would normally buy re-insurance against massive individual or aggregated losses. There are serious suggestions that the industry will need a government-backed re-insurer along the lines of Pool Re, which covers terrorist events.
Finally, a recent article on El Reg suggested that insurers should consider buying an anti-virus or similar security product firm in order to better understand the risks. While I agree with the basic sentiment, frankly that suggestion is more than just a little nuts. Going back to an analogy with car insurance, this would be like Direct Line announcing that it wanted to buy Goodyear to better understand how cars perform in wet weather. I’m a strong believer in never saying never but if anyone would like to put a £5 bet on this happening within the next 10 years I’ll happily take your money.
That said, there clearly is a desire for a greater understanding of how cyber risks could and should be managed. However this is manifesting in the creation of industry forums and information sharing partnerships. It’s also quite likely that there will be some expansion into security management risk consulting (think ISO27001 type consultancy work). This would be consistent with what already happens in the health and safety or business continuity spaces. This would fit far better with how insurers view the world and also represents a form of risk free income for them.
So to sum up, right now you can buy cyber cover – but the overall market is still very young and the amount of capacity available is relatively small. Insurers are very much trying to figure out how to grow their ability to offer it, but there are significant hurdles. If your company does decide to look at it I would encourage you to take it seriously. Honestly it could become a serious ally in getting the important things done. ®
Tom Whipp is CISO for Charles Taylor PLC