Cyber Insurance Problem & Solution

The cyber insurance market is described by people within the industry as a "soft insurance market," in that insurers do not have enough data to understand the market, assess the market risk, or be able to confidently predict the future financial performance of the market.

The mature insurance industry is rushing into this new cyber insurance market (55 cyber insurance companies and growing), but they have not yet figured out how to quantify and/or manage their risk. Among other things, they are trying to come to grips with the following issues:

• How to understand and predict cyber risks for different kinds of businesses
• How to help companies change their behaviors in order to reduce risk
• How to build insurance products for different kinds, sizes, and (especially) interconnected businesses
• How to price those various products

Current policies/products, for both large enterprises and SMEs are not priced realistically from an actuarial standpoint with respect to the real underlying cyber risks.  As of Q1 2015, insurance companies are still able to make money from their cyber insurance products.  This is due to a lack of claims and a layered sharing of risk among multiple insurers and re-insurers.  Also, the legal environment is still immature and evolving, and insurance law and litigators are still coming to grips with defining how they will fit into the cyber defense landscape.

This period of quiet and calm is expected to change soon as the threats and losses grow.  

Many of the newer entrants into the cyber marketplace do not have premium reserves built up to protect against larger claims and losses.  When claims start to increase, this will inevitably result in losses, and insurers will respond by raising premiums, denying claims, refusing to renew policies, and increasing security requirements to client businesses.  They will also shift more risk burden to business clients and possibly the government. 

Currently, the cyber insurance products in the marketplace are not reflective of the cyber threats actually facing businesses.  The reasons for this are:

• Insurance companies are finding cyber risks very difficult to model because they are not geographically contained and are unusually systemic.  A vulnerability in one insured client can affect many others, potentially putting the insurer on the hook for simultaneous, large payouts.
• Insurance companies are not yet requiring businesses to "get physicals" or assessments as a condition to being insured.
• Insurance companies are not able to quantify the quality of companies and products used to defend networks.
• Insurance companies are not yet sharing loss data.
• Business leaders overestimate by a factor of five how well they are covered by insurance in general and probably much more so with respect to cyber insurance.
• Businesses can still purchase cyber insurance for relatively insignificant sums.
• Businesses are not yet willing to pay the premiums necessary for services such as forensic investigations and litigation defense.
• Business leadership is only beginning to understand the seriousness of the threat landscape and, to date, has not been adequately motivated to deploy the resources to protect their networks and intellectual property.

The cyber security risk environment is changing, driven by the following:

• Government regulation
•  Continuous media coverage of breaches and hacks
• Insurance industry pressure
• Litigation
• Pressure from large business enterprises on their third-party vendors to bring their security into alignment with their own security postures
• The expectation of more and larger claims

A core driver of the uncertainty in the cyber insurance market is the lack of data that can be used to define and predict risk.  It is clear that insurance companies will require broader and more sophisticated data related to many aspects of cyber security and the business practices related to it.

Underwriting and actuarial departments will require continuous, current data in many areas, and Data1Qbit will be in a position to supply a wide range of customized cyber security company and product data to underwriting and actuarial departments on an on-going, 24/7 basis.  This data will be collected about ALL defensive and offensive cyber security product manufacturers (over 2,200 thus far) and ALL their products--globally.  The data will be organized around an accepted ontological schema that will promote machine learning and system interoperability amongst our customer base.

Data collected will include:

• Cyber security company/vendor data: including financial, legal, security, historical and current user sentiment, and other data
• Cyber security product data: including product viability, support, specification, security, user sentiment, geospatial deployment, and other data
•  Breach data and common vulnerabilities correlated to the full range of cyber security products
• Product updates and patches correlated to the full range of cyber security products
• Current breach and hack news correlated with the full range of cyber security products
• Neutral, anonymous aggregated loss data from cyber insurance user companies
• Cyber security litigation data

Data1Qbit is positioning itself to provide all the data categories listed above, plus other data as it becomes available to us and as is requested by insurance clients, and which falls within our data collection capabilities.

 

WSJ Article April 13, 2015: Companies, Seeking Common Ground on Cybersecurity, Turn to Insurers (Excellent article providing additional insight regarding the above subject matter).

Insurance Journal Article May 1, 2015: AIG Annouces Partnerhip with BitSight (Another article highlighting the growing trend of collaboration between cyber security and cyber insurance industries).

Insurance Journal Article May 18, 2015: Marsh Partners with FireEye on Cyber Risk Management Program (Another article highlighting the growing trend of collaboration between cyber security and cyber insurance industries).