Cyber Insurance Plays Critical Role in Mitigating Cyber RiskExecutive Vice President and General Counsel at Marsh & McLennan
The evolution in the sophistication and intensity of cyber threats has been astonishing. Just a few years ago, the principal form of cyber threat was a denial of service attack that might disable an organization’s website for a brief period.
In 2013 and 2014, hackers turned their focus to the theft, particularly in the retail sector, of credit card and other personal data.
Last month, however, we saw an attack with far reaching ramifications. The German government reported that hackers caused “massive damage” to an iron plant by disabling the electronic shut off systems on the plant’s furnaces. Armed with “detailed knowledge of the industrial control systems,” the intruders utilized an elaborate spear phishing campaign to damage the entire plant.
This escalation of cyber attacks to physical assets reflects the growing threat posed to our critical infrastructure. In marshalling defenses to combat this threat, there is an important role for cyber insurance to play.
What does cyber insurance have to do with cyber security? A lot. Cyber insurance has the potential to create powerful incentives that drive behavioral change in the marketplace.
Cyber insurance has the potential to create powerful incentives that drive behavioral change in the marketplace.
The simple act of applying for cyber insurance induces companies to conduct gap assessments of their own capabilities because insurers will want to know: do companies have an incident response plan, good protocols for patching software, and regular monitoring of their vendor network?
As Deputy Treasury Secretary Sarah Bloom Raskin recently stated in a speech to the Texas Bankers Association, cyber insurance is one element, among many, of a comprehensive risk mitigation strategy.
“Cyber insurance cannot protect your institutions from a cyber incident any more than flood insurance can save your house from a storm surge or D&O insurance can prevent a lawsuit,” Raskin said. “Qualifying for cyber risk insurance can provide useful information for assessing your bank’s risk level and identifying cybersecurity tools and best practices that you may be lacking.”
There are three core types of cyber insurance. The most basic provides protection for out-of-pocket expenses that a company incurs in the wake of a data breach. The second protects a company if its computer network is effectively shut down for days or longer. The third type is for harm caused to an insured’s customers or consumers as a result of a significant breach.
Once an insurance policy is placed, the insurer has every incentive to assist the policyholders to the greatest extent possible to avoid or mitigate attacks. As a result, many insurers now offer monitoring and rapid response services to policyholders.
And the market is responding. The highest take-up rates for cyber insurance among Marsh’s clients in 2014 were in health care (50 percent), education (32 percent) and hospitality and gaming (26 percent). These numbers are up sharply from last year.
These industries handle a large volume of sensitive personal information, including health care data, Social Security numbers, and credit card information. In fact, as a result of statutes like HIPAA, the take-up rates in health care are higher than any other sector of the economy. There were also marked increases in the power and utilities sector.
And while take-up rates increased noticeably in both large and small companies during the past two years, our analysis of the market shows there is a substantial, and indeed growing, gap between the two segments.
Thus, insurance market forces are creating important incentives for companies to invest in more robest cyber defenses. This dynamic has occurred many times in many industries. Take worker’s compensation as an example. Insurers helped drive the adoption of safety protocols to improve the security of workers. Over the last two decades, we have seen the number of fatalities in the workplace drop by over 35 percent. This same dynamic can occur in the cyber arena with insurers providing incentives for those companies that implement risk mitigation strategies like two-factor authentication and detonation software.
Overall, the cyber insurance market remains modest in scale. Marsh estimates that the total written premiums for cyber insurance in 2014 were approximately $2 billion. And while the up take of cyber insurance is rising significantly, it’s still just a sliver of the entire U.S. insurance market of $1 trillion in premiums.
For all these reasons, cyber insurance can serve as one important component of a comprehensive risk mitigation strategy.