Cyber Insurance in Search of Identity
Oleg Abdurashitov
Head of Public Affairs, APAC
Industry players agree that the insurance industry role in driving improvements in cybersecurity may bring numerous benefits to insurers, their customers and policy-makers[i]. Sometime cyber insurance is even envisioned to drive a wider adoption of the best cybersecurity practices, much like property insurance resulted in omnipresent smoke-detectors and water-sprinklers, making public buildings safer and more resilient to fire incidents.
Given the regulatory environment, which increasingly holds companies liable for data breaches, and the record-breaking financial losses from cyberattacks last year, the demand for cyber insurance products is set to grow over 700% in the next 10 years and exceed USD 10 billion by 2020[ii]. However, in the nearest future cyber insurance needs to overcome several critical challenges to fulfil its promise and become as developed, essential and ubiquitous as automotive or healthcare insurance.
Despite the fact that the early cyber insurance products were introduced decades ago in the late 90s to deal with the so-called Y2K issue[iii], most insurance companies lack historical data on cyber incidents and associated losses. To make things more complicated, cyber is a fast-evolving domain, with constantly expanding attack surface and rapid escalation potential, where a single outbreak may cost a large company hundreds of millions of dollars in losses and remediation costs[iv]. As one participant of a cyber insurance workshop attended by Kaspersky noted ‘we are dealing with unknown unknowns’. This results in insurers’ pricing models being prone to costly miscalculations. Given lacking industry standards and large size of potential losses – especially in case of attacks on critical infrastructures - the insurers are reluctant to offer substantial limits for cyberattacks.[v]
On the demand side, large enterprises are willing and sometimes legally-bound to purchase cyber insurance solutions. They are also better positioned to procure a product tailored to their needs, as compared to small and medium businesses. However, even in the maturing markets customers are still facing the ‘ambiguity of coverage’, where customers might think that cyber incidents are covered, and the insurer thinks they are not[vi] - especially so when it comes to supply-chain cyber risks. With SMEs being increasingly integrated into supply chain of major companies these risks are only growing larger. The infamous NotPetya ransomware spread through a little-known accounting software of a Ukrainian firm which did not have capabilities to detect and withstand a sophisticated cyberattack[vii]. None of the standardized cyber insurance products preferred by SME’s would cover the massive collateral losses, but they can however play an important role in risk reduction by offering firms a coverage for added-value technical services. These may include incident response or digital forensics services that would be too costly for most SMEs to have in-house.
One of the key issues, that emerging global cyber insurance market needs to address, relates to collecting cybersecurity threat data for providing adequate cyber insurance coverages and conducting thorough assessments of possible loss in event of cyberattack. Luckily, the regulators across the globe are well aware of this. The recent study of ENISA calls, among other things, for harmonization of industry standards and improved incident data sharing practices in Europe[viii]. Introduction of mandatory breach notification regimes both in Europe and Asia[ix] will also create large repositories of cyber incidents’ information, and some countries may even allow cyber insurers to access this data to improve and adjust their risk models.
There are also signs that the insurance industry and cybersecurity industry move closer to each other to find innovative approaches and solutions to challenges their customers face. The most recent examples include a joint product offered to corporate clients in Europe by Allianz and Kaspersky, AIG’s new threat analysis model developed in cooperation with cybersecurity vendors, and even a partnership between an insurance company and a white hat hackers community. Indeed, cyber insurance market could benefit from cooperating with cybersecurity vendors as they are capable to fill existing gaps in the area of risk assessment by providing their cybersecurity expertise, threat landscape knowledge and cyber forensic services.
Insurers in this sense are yet another part of the broader cyber ecosystem, and it is the development of the whole ecosystem that will determine how resilient will be our societies to emerging cyberthreats.
[i] Policy measures and cyber insurance: a framework. Daniel Woods and Andrew Simpson, Journal of Cyber Policy, Volume 2, 2017
[ii] In an Era of Major Hacks, Cyber Insurance May Be the Industry's Riskiest Bet Yet. WIRED, September 2017
[iii] Cyber risk and the changing role of insurance. Mark Camillo, Journal of Cyber Policy, Volume 2, 2017
[iv] NotPetya ransomware outbreak cost Merck more than $300M per quarter. TechRepublic, October 2017
[v] Camillo, et al
[vi] The cyber insurance market in Sweden. Ulrik Franke, Computers & Security, Volume 68, 2017
[vii] Schroedinger’s Pet(ya). Kaspersky’s Securelist, June 2017.
[viii] Commonality of risk assessment language in cyber insurance: Recommendations on Cyber Insurance. European Union Agency for Network and Information Security, October 2017
[ix] Asia moves towards tougher data breach rules. JLT: Cyber Decoder, Issue 29, December 2017