Cyberinsurance — a rapidly growing form of insurance for organizations seeking to manage cyber-related risks, such as first-party costs incurred as a consequence of a cyberattack, breach, business interruption, restoration and third-party liability; depending on the jurisdiction, regulatory fines/penalties may also be covered.50
In addition to technical and behavioural measures, organizations are increasingly turning to cyberinsurance to help manage the financial consequences of cyber-related risk. Policy-makers are beginning to explore how cyberinsurance can not only help manage risk but incentivize mitigating it, as well. In an ideal world, insurers would offer cheaper insurance to companies contingent on better security controls. Insurers would also inform organizations seeking coverage about the controls they could implement to cost effectively reduce risk. So far, cyberinsurance is a nascent field and is offered by private companies, while policy-makers are experimenting with mandates and incentives to increase the adoption of insurance.
Policy-makers are confronted with two key questions pertaining to cyberinsurance (leaving aside the particulars of the coverage provided): what incentives, if any, should be offered to obtain insurance, and which entities should be prioritized for these incentives?
- Broadly speaking, a state may intervene at three levels in the insurance market, with increasing likelihood of private-sector adoption but increasing costs, as well: voluntary (no incentives); incentivized (e.g. tax deduction); and mandated insurance. If no incentives for insurance exist, the upfront costs are likely to be low but, in the long run, depending on how liability is defined, at some point cyber costs will be borne in an outsized fashion by some entity either in the private or public sector. These costs are likely to be greater in the absence of the security control adoption promoted by insurance. On the other end of the spectrum, an insurance mandate will lead to greater upfront costs for the private sector but to smaller costs in the long run as companies adopt security controls to minimize insurance costs.
- A number of entities could be targeted for state-incentivized insurance. Given finite resources, it may be more valuable to target insurance incentives towards organizations that are less mature and capable of weathering the financial consequences of cyberattacks.
The provision of cyberinsurance is not an unalloyed collective good even if insurers incentivize adequate cybersecurity risk mitigation. The insurance industry itself must be carefully monitored for the buildup of financial risk associated with bearing the costs of cyberincidents. In some jurisdictions, regulators have been concerned by the size of the implicit liability borne by insurers underwriting cyber-risks (also known as “silent” risk).51
Policy model: Cyberinsurance
Key values trade-offs created by cyberinsurance policy choices
Case study: Department of Homeland Security, Cyber Incident Data and Analysis Repository (CIDAR)
The Cyber Incident Data and Analysis Repository (CIDAR) is an initiative led by the U.S. Department of Homeland Security to solve one of the key constraints to cyberinsurance adoption: data — in particular, data that connects the failure of a specific security control with the damages incurred as a consequence. Without data, insurers cannot price the risk a given organization presents and thus cannot offer insurance in a robust way (i.e. they must offer it at such a steep price that few organizations can afford to adopt it or, perhaps worse, the few that purchase the insurance are the equivalent of cybersecurity “lemons”).52
CIDAR helps illustrate how very important and vexing data limitations are for the maturation of the cyberinsurance market. Relative to other types of risks insurers’ cover, cyber-risk is very difficult to measure and price. It is difficult to measure for three reasons. First, there is limited historical data. Insurers do not have a reliable indicator of the damages associated with the failure of security controls. Second, cyber-risk is “fat tailed”; very extreme events tend to occur somewhat more commonly than one would expect. Statisticians have difficulty measuring fat-tailed risk and thus, relative to other risk, cyber-risk requires a relatively larger sample size to confidently assess. Third, and perhaps most frustratingly for insurers, cyber-risk measurements are subject to an inherent uncertainty associated with threat vectors changing over time. Damage estimates associated with the failure of corporate PC-centric security controls in the early 2000s were unlikely to be adequate for assessing a bring-your-own-device corporate environment in 2012, and are even less meaningful for assessing a workplace blanketed with smart sensors in 2017. Cyberinsurance provision is hindered by the fundamental paradox of peering backward at an incomplete history to estimate forward-looking future technology risks.
Connecting policy to values:
It is difficult to predict the normative trade-offs that will result as a consequence of policy choices impacting cyberinsurance, given the industry’s relative nascence. But in general, policies that promote increased adoption of cyberinsurance should lead to improved security as companies gain a better understanding of their own cybersecurity risk profile. The more data insurers have, the better they should be able to assess the relative importance of different risks, and price insurance accordingly. Risk transparency also helps promote greater private-sector accountability. An organization aware of how it can act to mitigate its own risks should be held to a higher standard. Over time, increased insurance adoption should lead to decreased security-related costs (inclusive of insurance), given the ability to reduce a given company’s risk profile.