Cyber Insurance: Applying Economic Incentives to Cyber Defense
Cyber attacks have made headlines in the news lately. The Mirai botnet took down a large chunk of the Internet last September. The WannaCry ransomware wreaked havoc among UK hospitals last May and forced many to turn away emergency room patients. And last June, NotPetya disrupted operations at major banks and companies around the world.
Meanwhile, the cyber insurance industry has been quickly developing over the past year. Cyber insurance refers to the insurance product that covers losses such as data destruction, extortion, theft, hacking, and denial of service attacks. Cyber insurance is typically excluded from traditional commercial general liability policies.
Currently the market for cyber insurance is fairly niche. Only 45% of Fortune 500 companies and 16–20% of all non-SMB companies buy cyber insurance, and 90% of them are US businesses. 60 insurance carriers offer cyber insurance policies. Premiums totaled $2.5 billion last year and is expected to reach $5 billion in 2018 and $7.5 billion in 2020.
Fundamentally, cyber insurance is important because it represents a paradigm shift in the whole notion of cyber defense. The current model is the castle. We build a walled enclosure to which we add a moat and drawbridges and other fortifications, but once the fortress is breached there’s little to impede the attacker. This is why the worm components of the recent attacks have been so successful.
What we need is not to presume we can prevent all attacks, but to strive for resilience when under attack. Dan Geer of In-Q-Tel discussed more about this new paradigm during his 2015 RSA Conference talk. A form of resilience is risk management, or mitigating the financial loss and damages during an attack. Not only does cyber insurance mitigate risk, but it also creates economic incentives for companies to adopt best practices for information security.
We’ll take a look at how cyber insurance is disrupting the insurance industry, how cyber risk modeling is done, and what government policies can do to foster a robust cyber insurance market.
Unlike homeowner insurance or auto insurance which have been around for decades, the cyber insurance industry has only been around for a few years. Two opportunities to disrupt outdated insurance practices come to mind.
First, under the old paradigm of evaluating risk, an actuary would create an actuarial table or decision tree. As an example, a rating plan with only 20 variables is already a matrix of millions of possible combinations. You would need to have a critical mass of 25% of cells that are filled in that matrix in order to create a reasonably accurate model, which could take years to build.
Instead of building actuarial tables from scratch, the cyber insurance industry decided to take modern machine learning techniques and apply them to pricing risk. Startups, such as RiskBased Security, mine historical data on cyber breaches to create Monte Carlo simulations. BitSight Technologies takes an alternative approach by looking at third party vendors, such as cloud providers or payment processors, and seeing how those vendors affect their customers’ risk profiles.
Second, the insurance industry is also outdated in the way contracts are evaluated and written. The old paradigm is that an insurance carrier gets a submission from a company, prices the premium, and then puts the submission away in a filing cabinet to be re-evaluated 1–3 years later. Meanwhile, the risk profile of that company can change greatly within that period, but the premium legally cannot be changed to reflect the company’s fluctuation in risk.
Cyber insurance has resulted in more dynamic information sharing between the insurer and the insured such that premiums can continuously be adjusted to reflect new risk profiles. Startups such as Cyence, K2 Intelligence, BitSight Technologies, and SecurityScorecard continuously monitor risk from internal and external data sources. This dynamic information sharing can actually incentivize companies to improve their security. Many simple practices greatly improve the security of a system, such as limiting access privileges to important information in the system, segmenting the network and important data, patching software every time an update is released, and removing hardcoded passwords. In addition this helps reduce the adverse selection problem that plagues the insurance industry.
Cyber Risk Modeling and Data
Currently 48 states have breach notification laws. These laws require companies to notify their customers affected by a breach. In addition, most states also require companies to write a post-mortem detailing the background of the breach and the steps taken to remedy damages. These reports are then made available to the public. Thanks to breach notification laws, these reports have become the primary source of data on cyber breaches.
There are two parts in pricing risk: the likelihood of the risk and the severity of the risk. A common misconception in cyber insurance is that you need massive amounts of data to accurately price risk. In reality, not many things matter to companies to increase safety against cyber attacks. Admin privileges, user behaviors, network segmentation practices, and system patches, for instance, already paint a rough picture of the possible sources and likelihood of a breach. Yet the difficulty of aggregating and collecting that data is what’s inhibiting the growth of the cyber insurance market. Many companies, surprisingly enough, don’t exactly know who their vendors are, and the ones that do also want to extend insurance coverage to the companies they are dependent on.
Nonetheless, after determining the likelihood of a breach, the next step is to calculate the severity of a breach. Variables, such as the number of records, statutory requirements, outside forensics, lawsuits, and the price of data on the black market, help determine the cost of a cyber breach.
A major issue with cyber risk modeling is balancing the usefulness of data with the friction of invasiveness. No company likes to be burdened with excessive security audits, notwithstanding being exposed to privacy risks when auditors tap into the company’s network. The cyber insurance industry is competitive, so companies can just find an insurer that doesn’t force the company to give access to its internal systems. Moreover, small and medium businesses (SMBs) have expressed interest in cyber insurance, but the friction of filling out insurance forms without a dedicated IT team creates a substantial barrier. As a result, asking for more data from the insured is most effective only when the insured gets something in return such as lowered premiums.
Another big issue of cyber risk modeling is managing the accumulation of cyber risk. In insurance this is called “correlated risk.” The last thing an insurance company wants is to be hit with tons of insurance claims all at once. For other types of insurance, the solution is diversification of risk. Home insurance carriers, for instance, avoid selling all their plans to hurricane Florida or earthquake California. At the same time, they try to find geographical areas less prone to natural disasters to balance their overall portfolio risk.
Regarding cyber insurance, the question becomes if there is an analog to geography as a way to diversify risk. Recent cyber attacks, such as Mirai Botnet, WannaCry, and NotPetya, seem to suggest that cyber attacks can affect a large number of companies all at once. Yet the likelihood of a black swan event destroying an insurer’s portfolio is uncertain. Because it takes time to move laterally across a network after a breach, attackers have to prioritize which companies to attack first, which increases the chance of their attack method being exposed.
Insurance is primarily regulated at the state level. The California Department of Insurance, for instance, evaluates premiums to make sure they are fair, ensures companies have complete understanding of risk, and requires carriers to have a minimum capital reserve to cover claims. Yet regulation at the state level creates a lot of inefficiencies because insurance is a national market, and thus there is a lot of variance in regulatory procedures across states. The National Association of Insurance Commissioners tries to address this by creating standards for state regulators.
Standardization have the potential benefit of preemptively preventing cyber attacks. An example is 2-Factor Authentication in the finance industry. Before the 2014 JP Morgan data breach, 2FA was very unpopular and considered burdensome, but after the hack it quickly became industry standard. Yet pushing for standards too quickly also has the downside risk of reducing flexibility and experimentation. Different states could serve as laboratories of experiment; if one state screws up its policies then the downsides are only limited to that one state. Usually once the market has matured enough, the industry, rather than the government, comes together to set standards for best practices.
Furthermore, as the Affordable Care Act controversy shows, mandating insurance is always challenging. A major question is if there is a private market approach instead of a public mandate for insurance, since a robust cyber insurance market would incentivize companies to improve their own cybersecurity.
The government could create a backstop if the cyber insurance market isn’t growing fast enough. A backstop means that the government would cover losses over a certain threshold. Or perhaps a backstop isn’t necessary if insurance carriers could offload risk to reinsurers, although right now the cyber reinsurance market is extremely small.
Another policy area is addressing state-sponsored cyber attacks. According to the Terrorism Risk Insurance Act of 2002, the federal government will cover up to a certain threshold of insurance claims that resulted from a terrorist attack. This is significant because cyber insurance, compared to other types of insurance, tends to have greater exposure to foreign actors; for example, it is suspected that North Korea was behind the WannaCry ransomware attack.
The issue is that right now there isn’t a clear definition of what constitutes cyber terrorism or cyber war, and furthermore most insurance policies have a war exclusion clause. The government could create a clearer definition of cyber terrorism and cyber war, in addition to being the “insurer of last resort” for state-sponsored cyber attacks.
Lastly, the government could start a public education campaign to raise awareness about cyber insurance and cyber risk. Right now most companies aren’t aware of what cyber insurance is. The government could offer tax deductions for cyber insurance, require cyber insurance for all government contractors and their supply chains, and teach government employees how to recognize phishing emails. AIG is even working closely with the Department of Treasury and the Department of Homeland Security right now to develop best practices on cyber risk management.
Ultimately, cyber insurance is a neat application of economic incentives to reduce the risk and damage of cyber attacks. Currently the market is fairly niche but has the potential to expand as more companies shift from the old cybersecurity paradigm of “defending the castle wall” to “resilience under attack.” It will be interesting to see how this new industry develops over the next few years.