The market for cybersecurity insurance is enjoying annual double-digit growth among companies of all kinds, according to insurance-sector sources, and industry observers are now saying insurance could do a better job keeping businesses in line than government regulations can.
“The insurance market is doing a good job of providing service. We’re moving in the right direction so I don’t encourage the government to rush in to help,” said Matthew McCabe of the Marsh global insurance firm.
Sources from a variety of vantage points were adamant that cyber insurance promises more bang for the buck than regulatory measures when it comes to improving businesses’ cybersecurity performance. Companies are prompted to take a comprehensive look at their approach to cybersecurity when they take out a policy, and the insurers can shine a light on potential improvements and increase awareness of industry best practices.
“Insurance drove fire prevention at the turn of the last century” and should play a similar role on cybersecurity, said Vikram Phatak, CEO of Texas-based NSS Labs.
Phatak, whose company assesses cybersecurity products and systems, cited tax credits for cyber efforts as a “government policy that could help. That could encourage companies to insure against ‘black swan’ events and get insurance companies involved in a more meaningful way.”
A Department of Homeland Security plan to build a “cyber incident repository,” which would collect information on real-world cyber attacks and generate actuarial data for use by insurers in pricing cyber policies, apparently stalled without causing much concern within industry.
DHS officials did not comment on the status of the repository program — an Obama-era initiative — but industry sources said the idea got bogged down over where such data would come from and how it would be anonymized and protected. Former President Barack Obama’s national cybersecurity commission in late 2016 strongly endorsed the idea of a repository.
“It’s highly proprietary information that’s often confidential,” an insurance industry source said. “How to make it both usable and anonymous — they didn’t quite figure that out.”
But the source pointed to sustained annual “double-digit growth” as indicative of a healthy cyber insurance market. That includes “close to 40 percent growth” in policies written for the manufacturing sector addressing “operational risk and network outages,” the source said.
Some observers say the insurance market is tilted toward relatively garden-variety incidents such as consumer data breaches, but the insurance industry source called that an outdated “talking point” and said policies now cover cyber attacks with major operational impacts on businesses. Those are the big-ticket hacks that could stop machinery from running or douse the lights.
New research by the firm Willis Towers Watson also found high renewal rates for cyber policies and noted that insurers have “tightened pricing and retention guidelines for companies that have not addressed vulnerabilities. Where organizations have demonstrated increased levels of security and internal policy controls, underwriters have offered premium decreases.”
That’s the kind of market-driving impact that Phatak and others say they are looking for from cyber insurance.
Brian Finch of the firm Pillsbury Winthrop Shaw Pittman said “part of the [insurance] calculation needs to be investment in cyber wellness.”
He said market-based cybersecurity alternatives to regulation are key, but added that questions remain on how fully insurance can play this role. “Will the economic model of insurance carriers match with the threat environment?” he asked, suggesting an “over-investment in data breaches and an under-investment in business disruption.”
Marsh’s McCabe countered that “carriers are putting a lot of effort into tracking and addressing systemic risk” including network outages.
He also said applying the Terrorism Risk Insurance Act federal backstop to massive cybersecurity events is a major positive step by the U.S. government, which could be enhanced by legislation that clarifies the “trigger” for coverage. “Rather than having to prove a political motive for an attack to trigger coverage, better to base it on impact — if it’s a large enough incident you can call it a covered cyber event,” McCabe said.
He noted the recent update to the voluntary National Institute of Standards and Technology framework of cybersecurity standards and work at DHS on automated threat indicator sharing as two other areas where government can offer assistance beyond providing a backstop for catastrophic events.
“There’s a lot on the nonregulatory side that government can do to promote better cybersecurity,” McCabe said. He also took issue with the idea of abandoning liability protection as a policy tool.
“Liability protection in exchange for a robust cybersecurity program — if you make that a clear message, you’ll see great interest from the private sector,” he said.
