Insuring Cyber the Same Way as Natural Disasters

Mike Patterson’s blog was recently featured on the RSA Conference website here. Below are his full thoughts:

There is no doubt that cyberinsurance is a fast-growing product with an important role in our current landscape where security breaches are happening at a breakneck pace. And many claim the market is nowhere near fully saturated…lots of companies remain unprotected.

Most every Risk Manager has a disaster plan for what we typically think of as natural disasters: hurricane, fire, even polar vortexes! Insurance policies have been developed over the past century to protect and cover against these risks. The world of cybersecurity shares many of the same characteristics (primarily loss of property), but disaster planning is often performed by non-risk managers in IT. Recent losses make us wonder if risk management, typically the one purchasing insurance, and the IT department are actually working together to communicate their needs to the insurers.

The use case for cyberinsurance is simple: take your security posture as far as you can internally, then insure away the costs for responding to whatever breaches may be inevitable — that’s Insurance 101. Companies need insurance to offset soaring breach costs when they inevitably occur…and the costs for responding to a breach can be staggering. Data varies, but the average total cost is $100-$200 per record affected, with the average cost of a breach hitting 7 figures.

However, cyberinsurance has several hurdles to clear to become what the information security world needs. Here are the challenges, as identified by Rook Security:

1. Lack of Historical Data
Data breaches have only been around for close to 30 years with the bigger breaches really only taking place en masse during the last decade. Compare that to property and casualty insurance, which has actuarial tables going back several decades with rich data streams.

2. Lack of Good Data
Property and Casualty insurance has it easy — the majority of their actuarial data is publically available. Breach data is not and companies will only disclose what is required under law or to protect their customer base. How can an industry make good underwriting decisions when they have limited access to data?

3. Lack of Underwriting Tools
Right now the tool of choice (really the only tool) is an application questionnaire, which can vary wildly from carrier to carrier. Other insurance products should thank their lucky stars that they can always fall back on safety inspections, weather history and even governmental data to make sound underwriting decisions.

4. Bad or Untruthful Applications
There are cases emerging where carriers are rejecting claims when it can demonstrate that a company did not have the security safeguards in place that it said it did when it applied for a policy. IT security isn’t the easiest thing in the world to verify, since it’s often virtual. A visual inspection can verify if a covered building actually has the sprinklers stated, but cybersecurity is much more difficult. What is a good underwriting process to catch companies misrepresenting themselves in their applications, particularly when there are a number of security standards and multiple ways of creating a cybersecurity strategy? Each company is unique and their security needs can vary wildly from another applicant. And this doesn’t even begin to cover those who slack off on the security side when they become insured, thinking their policy will cover them.

5. Lack of Insurance Industry Personnel
New companies are jumping in to the cyberinsurance world every day, chasing the market growth. However, many of the underwriters are very green and there are very few mentors available with decades of experience to share. Much of the industry is still figuring this out together. Furthermore, the number of claim personnel within the carrier is small, along with the number of defense counsel specializing in this world.

6. Cost of Claims
There are plenty of studies that cite the average cost per record or the total cost of a breach. The numbers vary, but they are varying in an upward direction each year. But what about the cost of the biggest breaches, like Anthem? A company with tens of millions of records could result in a total claim in the billions of dollars and who would want that type of risk?

And cost of claims is the biggie that Rook Security has not seen addressed. Large companies with tens of millions of records are ironically more likely to have a robust security posture due to their larger security budgets and staff (and therefore be insurable), but their claim ceiling can be sky high. Plus, some of these companies will remain long-term targets of criminals and state-sponsored attackers (all of which makes them almost uninsurable). All of this is against the backdrop of cyberinsurance underwriting flying relatively blind compared to other insurance products.

Talking About Costs

During the Society of Financial Examiners Conference in San Diego on July 21–24, Rook Security raised this topic of the biggest companies having better security, but higher risk in terms of total claim payout. No one had a good answer because the total cost of exposure for large companies with tens of millions of records will result in an almost uninsurable risk for insurance companies at the full cost of the breach. But any policy that insurers will actually write will pale in comparison to the overall cost of a claim.

Talk about irony! Our biggest companies could be uninsurable even though their security programs are best of breed. Smaller companies will have smaller overall claims but aren’t as likely to have huge security budgets behind them. You could make a case that large and small companies are uninsurable, whether by their ability to defend themselves against attacks or the cost of a large-scale breach.

If you are Anthem-sized and have an estimated potential cost of $8 billion (80 million records x $100/record), a smart insurance company likely will not write a policy for you at that level because it would pose too much risk and it’s doubtful any re-insurer would want in either. Allstate’s cost for Hurricane Katrina was $3.68 billion, and that resulted in its worst quarterly loss ever at the time. Anthem could easily get to be twice that total unless there are some serious economies of scale for breach costs.

Natural disasters can wreak havoc on an insurance company’s performance due to their unpredictability and massive losses when they occur. This is partially the reason why very few private insurers offer flood insurance (the other reason being adverse selection). Based upon the typical size of a data breach, nearly all companies will have to fend for themselves with large self-insured retentions as a typical risk transfer option; especially if a breach at a single large entity has costs that rival hurricanes, floods and tornados.

Rook Security fears this may be the road we are going to go down, where breaches are treated as natural disasters and insurance companies will be leery to extend coverage to those most vulnerable (either because the costs would be too high or security is not already strong enough). Any coverage for a company with significant exposure will have to be placed with a carrier who specializes in that type of coverage, like the way flood insurance is done. It’s available, but you have to shop around for it in more ways than one. (And be prepared to pay a pretty penny for it.)

Finally — Rook Security understands that risk is pooled across all policyholders and the cost of paying an Anthem-sized claim could be absorbed by the premiums other insureds are paying. But even then, one Anthem scenario could wipe out any profit for the year…and that’s before any of the other policyholders put in their claims!

One thing is clear — companies are going to have to start relying on themselves for security and not placing their eggs in the basket of insurance companies coming to their rescue, because that basket may not be there or are big enough when it’s needed. If you start to view cyberinsurance like natural disaster insurance, one look at the security weather map will tell you there is a lot of nasty weather headed our way for the foreseeable future.

— By Mike Patterson, Vice President of Strategy, Rook Security, a global IT security solutions provider, and David Macknick, Senior Claims Analyst at AmTrust North America