Given the ongoing growth of data breaches around the world, many businesses have already invested in or are looking into cyber insurance. In 2014, the market saw $2.5 billion in premiums written for insurance policies that cover businesses’ liability in the event they suffer a data security incident. That global premium amount could double by the end of 2018 and triple to $7.5 billion by 2020, found PricewaterhouseCoopers (PWC).
If those forecasts prove true, it won’t be hard for actuaries to find companies looking for cyber insurance coverage. It could be difficult, however, for these experts to adequately measure the digital security risk of each potential customer. Jason Hart, CTO for Data Protection at Gemalto, knows why this could be the case:
“One of the challenges faced by insurers is that cyber-risk is difficult to define or predict. The situation is exacerbated by the insurance industry’s general lack of knowledge about effective security technologies and a reluctance from businesses to declare security breaches when they happen for fear of reputational damage. As a result, this lack of clarity is forcing insurers to focus on the limited set of security tools and risks that they understand, notably traditional security areas such as firewalls, anti-virus and DLP for stopping malware and data loss. All of this is forcing costs up, as insurers attempt to mitigate their own exposure. This means the whole process isn’t greatly effective.”
Hart is right. Actuaries need better data to price cyber insurance policies. But that information is hard to come by.
Cyber Risks Are Uncharted Territory for Actuaries
In its report Actuaries Beware: Pricing Cyber Insurance is a Different Ballgame, American security firm Symantec explains that part of the problem has to do with a lack of standard regulations regarding the companies’ responsibility to report a security incident. These variations create an environment where affected organizations sometimes don’t disclose breaches. Even if they do, they usually only reveal information that they are required by law to divulge. Such a strategy might spare companies from reputational damage, but it makes it difficult for insurers to measure all the costs of a security incident when crafting an insurance policy.
If they can evaluate cyber risk, they can usually do so only using third-party sources. Many data repositories host information that’s readily accessible, meaning it pertains to common security events like data breaches. Details about other types of incidents, such as malware campaigns or the use of denial-of-service (DoS) attacks, might be lacking, which further complicates the process of pricing out a cyber insurance plan.
Unfortunately, a lack of data is just the tip of the iceberg.
Actuaries also don’t have experience dealing with digital security incidents, which makes assigning dollar values to any available bits of data even more valuable. For instance, actuaries aren’t knowledgeable about white hat and black hat hackers, so it would be difficult for them to predict loss propensity or measure cyber risk for corporate networks that oftentimes extend across national borders, grant partner companies some level of access, and consist of technology that’s always changing.
Not only that, but cyber insurance is fundamentally different than other types of coverage in one key respect. Symantec calls it the “actuarial paradox” in its whitepaper:
“…If a company gets breached, and that company has a very strong counterpunch, can we potentially say that a breached company is a better risk going forward? Then, the even more direct question, which will surely face resistance, is: can we charge a lower actuarial premium for companies that have been breached in the past, knowing that their response to past events has actually made them safer risks? This flies directly in the face of everything we’ve done within other lines of business, but could make intuitive sense depending on incident response efforts put forth by the company in the event of breach or attack.”
As a result of these challenges facing actuaries, insurers create policies that do very little. According to the Ponemon 2015 Cost of Data Breach Study: Global Analysis report, a combination of security measures has the potential to reduce the overall cost of a breach ($154 per data point) by a third ($55). Only $4.40 of that reduction is due to insurance, says the report. At the same time, high-profile data breaches continue to make headlines, which makes insurers nervous and by extension drives up cyber insurance premiums.
Surprisingly, this cost isn’t all bad. Hart says it can actually motivate companies to strengthen their security posture:
“Cyber-insurance can increase awareness of the security measures that a business has in place for one simple reason: cost. Cyber-insurance is already an expensive investment for businesses. The less secure a business is, the more it costs.”
The Right Security Tools Can Reduce Premiums
Many insurance firms offer premium discounts if companies can demonstrate they have security measures in place, reports Network World. With that in mind, organizations should make sure they talk with an insurance provider before they sign on to a cyber liability policy. In the event companies can acquire a discount for appropriate security safeguards, they can help reduce their own risk by implementing key security controls, including multi-factor authentication (MFA) for access to information by internal and external groups, data encryption to protect personally identifiable information (PII) and other sensitive information, and securing the keys to the encrypted data with centralized key management that protects them in hardware and not on the servers where business-critical applications run. They should also train their employees on an ongoing basis, as doing so will lay the foundation for a security culture that can help defend against digital threats organization-wide.
To learn more about encryption and key management best practices download the Encrypt Everything eBook from Gemalto. For insights on how to secure access to all of your cloud apps, download Gemalto’s 4 Steps to Cloud Access Management guide book.