By Ira Scharf
Cyber insurance saw record growth in 2014. In fact, Advisen’s buyer penetration index showed a five-fold increase in cyber insurance purchases from 2006 to 2013, demonstrating that many organizations have recognized the value in outsourcing corporate cyber risk. Naysayers, however, warn that this move does not make companies more secure, and that it allows organizations to ignore the behaviors and issues that are creating security risks in the first place.
The insurance industry historically has played a critical role in reducing risk by endorsing new technologies and behaviors that have had a significant impact on risk reduction. The near ubiquitous adoption of smoke detectors in homes and seat belts and airbags in automobiles can be traced back to the strong influence and policy support of the insurance industry.
True, it’s not actual policy that reduces risk. But having the policy helps people and corporations adopt preventive behaviors and take steps that will, in the long run, reduce their risk. The case is similar with cyber insurance. People have questioned whether having this insurance can make a company more secure. Here are three ways in which cyber insurance can improve an organization’s security performance.
1) Underwriting assessment process = exposing risks, correcting behaviors
Before an insurance policy is underwritten, there is typically an assessment process to uncover any hidden risks associated with the organization. Health insurance might be the only case where this is not true (in the U.S., you can’t be denied coverage for preexisting conditions). For cyber insurance underwriting, applicants complete questionnaires and assessments that help uncover practices that expose the organization to cyber risks. Many insurers are starting to use objective, data-driven assessments for this process. In doing so, insurers are able to see trends over time for potential customers, and highlight performance and configuration issues in their networks. Insurers then require remediation of issues and use this information in deciding how to structure the cyber insurance policies. Some insurers are even using ratings to provide ongoing monitoring and alerts to their customers, while others are offering the service as a benefit to their policyholders.
2) Mass adoption = security standards
A challenge in network security is that there are no consistent standards across industries and geographies that will guarantee a certain level of security performance from company to company. Compliance regulations stipulate such behaviors in some cases, but those regulations vary broadly between industries and state lines. As the federal government has alluded to in cyber legislation discussions, a baseline of acceptable practice will start to appear as more companies begin to adopt cyber insurance.
It remains to be seen whether cyber insurance policies will become mandated or just commonplace. Either way, as cyber insurance becomes more broadly adopted, underwriters will look for ways to standardize their assessment process and make sure they are not taking on unacceptable levels of risk. In doing so, they will look at companies and their business ecosystems in comparison to each other and have expectations of baseline risk management practices that could in time become acceptable security performance standards.
3) Policy renewals, lower premiums = consistent, improved performance
As you may know from having car insurance, once you’re insured, you don’t want to do anything that will drive up your policy costs or make you lose your insurance altogether. Auto insurance companies recognize this behavior. They offer safe driver discounts and reduced rates to drivers who take risk reduction precautions, such as installing a car alarm or parking in a garage rather than the street.
The same can be true for businesses with cyber insurance. No one wants their business security to be breached. Through the assessment process and the renewal process, organizations will be motivated to take steps to improve their security performance – especially if continuous performance monitoring is being used. Underwriters may begin to reward their higher-performing clients by offering better terms.
Overall, it’s not that simply having cyber insurance will make a company more secure. However, with mass adoption, I think it’s clear that one of the benefits will be more consistent standards for acceptable performance, as well as a better understanding of what good security hygiene is. As more companies seek policies, and underwriters look for objective ways to assess cyber risk, we will reach a point where security performance will improve as a by-product of both underwriters and policy holders wishing to reduce risk and save money.
Ira Scharf is chief strategy officer with BitSight Technologies. He previously was president of AirDat and served as general manager of energy and risk for The Weather Channel. Ira may be contacted at [email protected].