Security expert proposes three steps
to bridge the gap between cyber insurance providers and companies insured
DUBAI,
United Arab Emirates, 17th August, 2014: The hottest topic in the insurance
world today is “cyber risk insurance”, or coverage for the response to and
fallout from cyber crime and breaches. As Reuters recently highlighted,
the cyber insurance market is set to double in 2014 over 2013 - heady times indeed for a
traditionally slow-growth industry in search of new markets. The need for
cyber insurance has never been more acute, with numerous, massive incidents at
companies like Target (whose CEO subsequently lost his job) and eBay, and government agencies like the Office of Personnel Management. But while these high–profile
breaches have led to skyrocketing interest in cyber insurance, they have also
highlighted a glaring weakness in insurance companies’ ability to price – and
therefore offer – such coverage: the lack of incident resolution expertise,
technology and processes amongst clients requesting coverage.
2014 has already been a
banner year for hacking activity leading to major cyber breaches, from the
aforementioned eBay and Target breaches – a trend which hit fellow retailers Neiman Marcus and Michaels Stores
– to the alleged Chinese hack into the US government’s
Office of Personnel Management’s systems. According to
IDG, the first half of 2014 saw a 21% increase in data breaches over the same period in 2013. At this pace, 2014 will easily eclipse 2010
as the worst year on record for data breaches.
All of this successful
hacker activity has led to an explosion in interest in cyber insurance, helped
along by widespread coverage of Target’s ability to cash in on the $100 million
of “tower” cyber insurance coverage it carried into the massive breach of its
point-of-sale systems – to the tune of $44 million in reimbursements through
Q1 2014 alone. Inevitably, this led to two simultaneous and
opposite reactions: among potential insured entities, the interest level in cyber insurance
exploded as more
companies sought to mitigate their own growing exposure to cyber breaches,
while amongst insurers the Target example led to the sobering realization that they cannot effectively price cyber
risk.
The cyber insurance market
is being held back by a lack of maturity in two critical areas. First, insurers have an alarming inability to
model client risk.
Cyber insurance is so new there is almost no empirical data for insurers to use
– and empirical data is the currency of insurance. Without this knowledge, it is virtually
impossible for a policy to be priced accurately. This is akin to writing an auto policy
without knowing if the driver is a 45-year-old professional non-drinker or a
21-year-old college student. As it has
always done with new policy types, the insurance industry will eventually build
up enough empirical data to make risk modeling reliable. Getting there, however, will involve
threading the needle between covering too much risk (thus losing money on
overly aggressive policies) and eschewing manageable risk (thus allowing
competitors to profit from one’s own timidness).
Second, insurers aren’t
yet requiring clients to become prepared to deal with major breaches.
As the Target board has come to realize, even a company with virtually
limitless resources can be unprepared for a breach.
For the insurer, this would be like writing a fire policy without
requiring the client to have a sprinkler system. Why would insurance companies do such a
thing? Because they approach the problem
very much like their clients: that a breach is something to be prevented, not
to be expected, detected and remediated quickly.
How can potential companies looking at
purchasing cyber risk insurance and the insurance providers desperate to cover
them with lucrative yet sensible policies find common ground? Craig Carpenter, Chief Marketing Officer at
AccessData proposes three simple steps will go a long way towards achieving
that end:
·
Realizing breaches are
inevitable, focus more on quick detection, response and remediation than
prevention. The idea that a network – any network – is
impenetrable simply no longer reflects reality.
Prevention is obviously important, but what really minimizes exposure is
speed of resolution with any incident. If Target taught us nothing else, it was that
even a cybersecurity team of more than 300
that has spent “several hundred million” dollars on the latest protective gear can
fail. Where the Target breach went from
minor incident to major hack was in ineffective incident response: it took
Target weeks to shut down the breach, during which time tens of
millions of user accounts were compromised.
·
Require a full-fledged
incident resolution team and process. Arguably the biggest weakness for most
companies is their lack of knowledgeable talent in-house that can handle a
breach’s aftermath. Without the right
people in place working with a sound process vetted in advance, breaches will
inevitably get worse. No insurer would
write a commercial building policy without a building security team and
response plan, so why treat cyber security any differently?
·
Work with clients to
develop best practices, starting with “Mean Time to Response (MTR).”
The development of sustainable health, fire, auto and life programs
illustrates a tried-and-true path forward, namely working with clients to develop
metrics to indicate particularly risky (or healthy or safe) behavior. By far the best way to minimize any breach is
to detect and remediate it as quickly as possible. While MTR is a new metric, it has already
gained momentum as a quick way of gauging a company’s cybersecurity maturity.
Cyber insurance is ready
to explode in the coming quarters and years as clients and insurance companies
alike are clamoring for coverage. But
the only way to unlock the market’s potential is for both sides to collaborate
on the development of best practices, especially in the area of rapid detection
and response. Without “virtual sprinkler
systems” as standard features of any cybersecurity program, cyber breaches
cannot be expected to be contained before major damage is done – an outcome no
one wants to see.
