What’s Holding Back the Cyber Insurance Industry? A Lack of Solid Data

Tammy54/Shutterstock.com

Featured eBooks
Health Tech
Read Now

Next-Generation Computing

Read Now

Space Tech

Read Now
Insights & Reports
Stay Ahead of the Latest Threats with Intelligence-driven Security Operations
Presented By Google Cloud
Download Now
Strengthening cloud security for federal agencies
Presented By Wiz
Download Now
Kaveh Waddell By Kaveh Waddell,
National Journal

By Kaveh Waddell,
National Journal

|

There's no easy way to set cyber insurance rates.

As data breaches be­come in­creas­ingly com­mon­place—while re­main­ing po­ten­tially  cata­stroph­ic—or­gan­iz­a­tions are look­ing to the in­sur­ance in­dustry to help in­su­late them from the po­ten­tial fal­lout of a breach like the pair at the Of­fice of Per­son­nel Man­age­ment that to­geth­er af­fected more than 22 mil­lion people.

But the young cy­ber­insur­ance in­dustry suf­fers from a lack of the data it needs to ac­cur­ately pre­dict the risk of a breach, leav­ing it without an easy way to set in­sur­ance rates and keep­ing it from reach­ing the main­stream.

To help im­prove the data needed to un­der­stand risk and set rates, the fed­er­al gov­ern­ment is bring­ing to­geth­er in­surers and com­pan­ies to con­sider how to share more in­form­a­tion about breaches.

The main obstacle to cre­at­ing an ac­cur­ate and com­plete data­base that re­flects the land­scape of cy­ber threats is the tend­ency of busi­nesses to want to keep net­work breaches and data-loss in­cid­ents to them­selves.

Un­less com­pan­ies are re­quired by law to re­port a breach—as they gen­er­ally are when a breach res­ults in iden­tity theft, for ex­ample—they have an aver­sion to shar­ing in­form­a­tion about cy­ber­at­tacks with oth­er busi­nesses, the gov­ern­ment, or the pub­lic, in or­der to pro­tect their repu­ta­tion.

But be­cause of the in­stinct to keep quiet about in­cid­ents, there is a lack of ac­tu­ar­ial data about the risks of data breaches that is hob­bling the cy­ber­insur­ance in­dustry.

“You have to be crazy to un­der­write right now be­cause you don’t know what’s a wise way to set premi­ums,” said Costis Tore­gas, as­so­ci­ate dir­ect­or of the Cy­ber Se­cur­ity Policy and Re­search In­sti­tute at the George Wash­ing­ton Uni­versity.

“Ba­sic­ally, it’s a crap­shoot,” Tore­gas ad­ded. “It’s throw­ing darts at the wall to try to es­tab­lish rates.”

One pos­sible solu­tion to the data prob­lem would in­clude the gov­ern­ment. The De­part­ment of Home­land Se­cur­ity is bring­ing to­geth­er or­gan­iz­a­tions—in­clud­ing in­surers and private com­pan­ies—to dis­cuss set­ting up a “third-party re­pos­it­ory” for cy­ber­in­cid­ent in­form­a­tion.

Such a re­pos­it­ory would take in an­onym­ous re­ports and make them avail­able to the pub­lic, so that in­surers, oth­er com­pan­ies, and re­search­ers would have a bet­ter sense of the fre­quency and scale of cy­ber­at­tacks, said Su­z­anne Spauld­ing, un­der sec­ret­ary for the DHS’s cy­ber arm, the Na­tion­al Pro­tec­tion and Pro­grams Dir­ect­or­ate.

“What are the kinds of in­form­a­tion that a com­pany might be com­fort­able provid­ing—again, without at­tri­bu­tion to the com­pany—and that would be use­ful, both for un­der­stand­ing the nature of the chal­lenge we’re fa­cing, but also for in­sur­ance folks to be­gin to de­vel­op products that could help pro­mote safety?” Spauld­ing asked dur­ing a cy­ber­insur­ance event at the Cen­ter for Stra­tegic and In­ter­na­tion­al Stud­ies last month.

Such a re­pos­it­ory is inch­ing to­wards real­ity. A DHS work­ing group ded­ic­ated to cy­ber in­cid­ent data pub­lished a white pa­per last month with 16 data cat­egor­ies it pro­posed for the re­pos­it­ory. The cat­egor­ies in­clude a timeline of the in­cid­ent, its sever­ity, the ap­par­ent goals of the at­tack, the as­sets af­fected or com­prom­ised by the at­tack, and the cost of the breach.

Without this data, the only op­tion avail­able to in­surers is com­ing up with a com­puter mod­el to pre­dict cy­ber risk, a field which Tore­gas says is “totally at its in­fancy.”

But the need for cy­ber­insur­ance is high and grow­ing, and not just to pro­tect com­pan­ies from the of­ten dis­astrous ef­fects of a breach.

“The un­der­writ­ing pro­cess it­self can bol­ster cy­ber­se­cur­ity,” said Treas­ury Un­der Sec­ret­ary Sarah Bloom Raskin at the CSIS event. “To qual­i­fy for cy­ber­insur­ance, a busi­ness typ­ic­ally fills out an ap­plic­a­tion seek­ing de­tails on its risk level and con­trols that mit­ig­ate the risk—the act of en­ga­ging in this pro­cess helps busi­nesses identi­fy tools and best prac­tices that they may be lack­ing.”

For now, the size of the cy­ber­se­cur­ity in­sur­ance mar­ket re­mains a frac­tion of its po­ten­tial.

“The un­lock­ing of the po­ten­tial mar­ket in­to the hun­dreds of bil­lions of dol­lars will hap­pen when they either de­vel­op a com­pre­hens­ive kind of stat­ist­ic­al base of losses, or some strong mod­els that can tell them with some level of con­fid­ence, ‘I pre­dict that if you do the fol­low­ing five things, your losses will be lower than the oth­er guy who had only four of those things ticked,’” said Tore­gas.

(Image via Tammy54/Shutterstock.com)

NEXT STORY: Commerce seeks to widen acceptance of cyber framework