Does cyber insurance make us more (or less) secure?

If data is the new oil, then we’re looking at pelicans soaked in crude on a beach.

When an oil tanker goes down or an oil rig explodes, dumping millions of gallons of petroleum into the ocean, we clean up the spill, we look for first causes, and we hold the company – even individuals – responsible for the harm they’ve caused to a shared resource: the environment we all live in.

When a company like Equifax commits gross negligence for failing to secure our data, and a breach pumps 147.9 million records onto the internet, the company’s directors keep their jobs, their cyber insurance policy pays out, and the company posts a profit.

The Equifax breach harmed pretty much every adult in the U.S., and the company has yet to face any real consequences for its incompetence. Is this the future of cyber risk insurance – commit gross negligence and get away with it?

Maybe. Maybe not. CSO talked to more than a dozen cyber insurance experts and reviewed hundreds of pages of documents on the current state of the cyber insurance market. Here’s what we found.

The moral hazard of cyber risk insurance

“Moral hazard” is the term insurance wonks use to discuss the misplaced incentives that insurance can create. It’s not a new problem; it has been a part of insurance underwriting since the days of sail. Just as car insurance might encourage bad driving, or fire insurance might encourage people not to install smoke detectors, cyber insurance might encourage incompetent security practices. Why bother doing the right thing if insurance is going to pay you to do the wrong thing?

The time-tested strategy by insurance carriers to limit moral hazard is to use insurance deductibles and co-pays, and to cap maximum payouts. That way the insured shares in the financial risk and is motivated to drive safely, to install smoke detectors, and to deploy strong cybersecurity controls in their enterprise.

The moral hazard of cyber insurance haunts boardrooms.

The moral hazard of cyber insurance haunts boardrooms. The market remains in its infancy, and insurance carriers are still grappling with how to deal with this problem. Non-technical C-suite executives looking to manage cyber risk can and do fall into this trap. If you’re paying for insurance, why bother applying strong cybersecurity controls? It’s cheaper and easier to just hang out for the insurance payout and not bother doing the hard work of improving your security posture.

“The inevitable tension for firms,” a Rand Corporation study of cyber insurance policies concluded, “is whether to invest in ex ante security controls in order to reduce the probability of loss, or to transfer the risk (cost) to an insurer.”

That might be a conversation between just the company and their insurance carrier if breaches affected only shareholders. For example, insurance began in the age of sail, when sending ships on long international voyages was risky. Ships sank, pirates attacked, storms happened, etc. If a ship carrying spices from India goes down, the only people harmed are the shareholders (and the sailors, of course, the usual footnotes to history). If Equifax gets breached, the harm affects all of society.

Because of the moral hazard it creates, cyber insurance might be uniquely unfit to deal with these massive third-party harms to society at large. However, absent regulation, or even a government willing to regulate, cyber insurance might still be the best hope for improving cybersecurity practices across the board – at least for now.

The Wild West of cyber insurance

Cyber insurance has been around, in one form or another, for the last 20 years, since the dot-com bubble burst in the late 1990s, and has grown dramatically since then, Christian Stanley of Lloyd’s of London tells CSO. “Lloyd’s has about a third of the global market share,” Stanley says. “Year on year it’s dramatically increased compared to other lines of business.”

Most cyber insurance policies continue to be written for U.S. companies, although that’s beginning to change. Market demands for different kinds of cyber insurance are also in flux, driven both by legislation as well as emerging technical risks. Companies looking to buy cyber insurance can purchase either standalone policies or extend existing policies to include cyber risks.

In the last couple of years, business interruption has become the bigger driver of buyers coming to the market.

“Initially in 2003 with the laws that came into effect in California, there was a privacy breach focus,” Stanley says. “In the last couple of years, business interruption has become the bigger driver of buyers coming to the market.”

Cyber insurance policies can be complex and tricky to understand, and anxious C-suite executives are buying cyber insurance often without understanding the full extent of what policies cover and what they don’t. To grow the market and diversify the risk, insurance companies are taking on all comers, often with no adequate measure of the true risk any given insured enterprise faces.

Both insurance carriers and enterprise buyers of cyber insurance are groping their way forward in the dark, a potentially dangerous scenario. Most insurance carriers, however, are aware of this blind spot, and researching how to better measure and quantify cyber risk.