What’s Holding Back the Cyber Insurance Industry? A Lack of Solid Data

Tammy54/Shutterstock.com

As data breaches be­come in­creas­ingly com­mon­place—while re­main­ing po­ten­tially  cata­stroph­ic—or­gan­iz­a­tions are look­ing to the in­sur­ance in­dustry to help in­su­late them from the po­ten­tial fal­lout of a breach like the pair at the Of­fice of Per­son­nel Man­age­ment that to­geth­er af­fected more than 22 mil­lion people.

But the young cy­ber­insur­ance in­dustry suf­fers from a lack of the data it needs to ac­cur­ately pre­dict the risk of a breach, leav­ing it without an easy way to set in­sur­ance rates and keep­ing it from reach­ing the main­stream.

To help im­prove the data needed to un­der­stand risk and set rates, the fed­er­al gov­ern­ment is bring­ing to­geth­er in­surers and com­pan­ies to con­sider how to share more in­form­a­tion about breaches.

The main obstacle to cre­at­ing an ac­cur­ate and com­plete data­base that re­flects the land­scape of cy­ber threats is the tend­ency of busi­nesses to want to keep net­work breaches and data-loss in­cid­ents to them­selves.

Un­less com­pan­ies are re­quired by law to re­port a breach—as they gen­er­ally are when a breach res­ults in iden­tity theft, for ex­ample—they have an aver­sion to shar­ing in­form­a­tion about cy­ber­at­tacks with oth­er busi­nesses, the gov­ern­ment, or the pub­lic, in or­der to pro­tect their repu­ta­tion.

But be­cause of the in­stinct to keep quiet about in­cid­ents, there is a lack of ac­tu­ar­ial data about the risks of data breaches that is hob­bling the cy­ber­insur­ance in­dustry.

“You have to be crazy to un­der­write right now be­cause you don’t know what’s a wise way to set premi­ums,” said Costis Tore­gas, as­so­ci­ate dir­ect­or of the Cy­ber Se­cur­ity Policy and Re­search In­sti­tute at the George Wash­ing­ton Uni­versity.

“Ba­sic­ally, it’s a crap­shoot,” Tore­gas ad­ded. “It’s throw­ing darts at the wall to try to es­tab­lish rates.”

One pos­sible solu­tion to the data prob­lem would in­clude the gov­ern­ment. The De­part­ment of Home­land Se­cur­ity is bring­ing to­geth­er or­gan­iz­a­tions—in­clud­ing in­surers and private com­pan­ies—to dis­cuss set­ting up a “third-party re­pos­it­ory” for cy­ber­in­cid­ent in­form­a­tion.

Such a re­pos­it­ory would take in an­onym­ous re­ports and make them avail­able to the pub­lic, so that in­surers, oth­er com­pan­ies, and re­search­ers would have a bet­ter sense of the fre­quency and scale of cy­ber­at­tacks, said Su­z­anne Spauld­ing, un­der sec­ret­ary for the DHS’s cy­ber arm, the Na­tion­al Pro­tec­tion and Pro­grams Dir­ect­or­ate.

“What are the kinds of in­form­a­tion that a com­pany might be com­fort­able provid­ing—again, without at­tri­bu­tion to the com­pany—and that would be use­ful, both for un­der­stand­ing the nature of the chal­lenge we’re fa­cing, but also for in­sur­ance folks to be­gin to de­vel­op products that could help pro­mote safety?” Spauld­ing asked dur­ing a cy­ber­insur­ance event at the Cen­ter for Stra­tegic and In­ter­na­tion­al Stud­ies last month.

Such a re­pos­it­ory is inch­ing to­wards real­ity. A DHS work­ing group ded­ic­ated to cy­ber in­cid­ent data pub­lished a white pa­per last month with 16 data cat­egor­ies it pro­posed for the re­pos­it­ory. The cat­egor­ies in­clude a timeline of the in­cid­ent, its sever­ity, the ap­par­ent goals of the at­tack, the as­sets af­fected or com­prom­ised by the at­tack, and the cost of the breach.

Without this data, the only op­tion avail­able to in­surers is com­ing up with a com­puter mod­el to pre­dict cy­ber risk, a field which Tore­gas says is “totally at its in­fancy.”

But the need for cy­ber­insur­ance is high and grow­ing, and not just to pro­tect com­pan­ies from the of­ten dis­astrous ef­fects of a breach.

“The un­der­writ­ing pro­cess it­self can bol­ster cy­ber­se­cur­ity,” said Treas­ury Un­der Sec­ret­ary Sarah Bloom Raskin at the CSIS event. “To qual­i­fy for cy­ber­insur­ance, a busi­ness typ­ic­ally fills out an ap­plic­a­tion seek­ing de­tails on its risk level and con­trols that mit­ig­ate the risk—the act of en­ga­ging in this pro­cess helps busi­nesses identi­fy tools and best prac­tices that they may be lack­ing.”

For now, the size of the cy­ber­se­cur­ity in­sur­ance mar­ket re­mains a frac­tion of its po­ten­tial.

“The un­lock­ing of the po­ten­tial mar­ket in­to the hun­dreds of bil­lions of dol­lars will hap­pen when they either de­vel­op a com­pre­hens­ive kind of stat­ist­ic­al base of losses, or some strong mod­els that can tell them with some level of con­fid­ence, ‘I pre­dict that if you do the fol­low­ing five things, your losses will be lower than the oth­er guy who had only four of those things ticked,’” said Tore­gas.

(Image via Tammy54/Shutterstock.com)