Nothing says ‘yawn’ like the topic of insurance. One notable exception may be the mushrooming marketplace for cyber risk insurance. But do insurers really know what they’re underwriting?
So bland is the insurance business perceived to be, that it’s the stuff of Hollywood comedy. In the 2004 film Along Came Polly, Ben Stiller played a skittish, risk averse insurance adjuster with actuarial data on bathroom hygiene at his fingertips (no pun). Woody Allen famously depicts his hapless criminal Virgil Starkwell locked in solitary confinement with an eager insurance salesman as in the 1969 mocumentary Take the Money and Run. Cruel and unusual punishment, indeed.
Boring though it may be, insurance markets are incredibly important in helping society manage risks of all sorts. Insurance markets also have a funny way of shaping behavior - both personal and commercial - in ways that serve the public interest.
Take the response to Hurricane Sandy as just one example. Law makers in Washington D.C. may never agree on whether that storm was a product of a warming climate. In fact, they may debate the ‘facts’ of climate change from now until the end of time. But property owners and businesses in that storm’s path are already adjusting to the reality of a more volatile climate - moving critical electric, environmental- and building management systems onto higher floors. And they’re doing so because of pressure from private insurers to mitigate future risks from flooding and storm related damage.
Many of us would like to see the same thing happen with cyber security - especially given the justified concerns about regulating an industry as dynamic as the tech sector and (more immediately) Washington’s difficulty passing even straightforward legislation. (Highway funding, anyone?) A wider reliance on cyber insurance to hedge risk may well have the effect of enforcing best practices on organizations across industries - from authentication to application development. That would replace today’s variable and ad-hoc approach to security, in which each company is left to survive by its own wits.
And change is happening - slowly. Target Stores, the box retailer that was the target (pun) of a major data breach last year reportedly had $100 million worth of cyber insurance coverage through a variety of separate policies. That money has helped to offset the monetary damage of the breach and spurred other companies to look for ways to hedge their cyber risk as well. The firm Marsh & McLennan estimates that the cyber insurance market could double to $2 billion in 2014.
But as Reuters reported recently, insurers are having a difficult time getting their arms around cyber risk. And that threatens to hold back the entire cyber insurance market at a critical time.
As you can imagine, insuring cyber risk is very different from insuring lives or automobiles - and potentially a lot more risky. For one thing, insurance companies have scant experience with and knowledge of “hackers” (broadly defined) - especially compared with the decades of data they have on driver behavior and automobiles. Not understanding how the thing you’re insuring against might behave leaves insurers on the hook for damages they might not have anticipated (and priced into their policies).
Why is that? Policies are often written based on the insured’s attention to standard defensive measures, rather than the findings of comprehensive security audits, Bryan Rose, a managing director at Stroz Friedberg told Reuters. That’s a big problem. As we know only too well, the gap between threats and defenses is wide and getting wider every day. As Target illustrates, questionnaires that fail to address third-party risk will also omit a major avenue for successful attacks.
More to the point for this blog: insurance firms that fail to take a hard look at application security, both in third-party products and in the internally developed applications will find themselves skating on thin ice, risk-wise.
As we know, many of the largest and most damaging data breaches come by way of attacks that exploit common and avoidable application vulnerabilities like SQL injection and Cross Site Scripting. Insurance firms that want to manage their risk need to have a strong foundation in application security, as well as the tools and talent to spot vulnerable and shaky applications - if not to ferret out specific, exploitable holes.
This will be a painful transition for both insurers and their customers. Insurers will almost certainly take more baths in the wake of major breaches, as it appears they did in the Target incident. And companies seeking to hedge their cyber risk will need to do more than check the box next to “firewall,” “antivirus” and “intrusion detection.” They’ll have to lay bare both the protections they rely on and the security and resiliency of the applications they’re protecting.
In the long term, however, the entire society will benefit from wider adoption of cyber insurance. The public- and private sectors have pursued countless strategies to address this endemic problem. Lists like the OWASP Top 10 or the SANS Top 20 have long highlighted the most serious and common problems, with little to show for it. As companies look to manage cyber risk, and insurance companies step forward to help them do it, we’ll begin to create structures that internalize the true costs of cyber security for society. That process will bring short term pain all around. But it will also produce long-term gains.