The brave new world of cyber insurance

Perimeter defenses have been penetrated the world over, and the modern cybersecurity conversation is all about how to mitigate the damage once your organization is inevitably breached.

Could cyber insurance be a smart way to ease the pain? Insurance pros say yes, but they need more information, and maybe government aid, for the space to grow.

Insurers as cyber auditors

Cyber insurance is an “important” tool, Deputy Treasury Secretary Sarah Bloom Raskin said at a Sept. 10 conference on the topic sponsored by the Center for Strategic and International Studies.

The actual payout companies could get from their cyber insurance in the event of a breach is a “last line of defense,” Raskin noted, but there’s more benefit to getting insured than just the money.

“The underwriting process itself can bolster cybersecurity,” she noted.

“At [insurance broker] Marsh, we don’t consider ourselves just in cyber insurance,” said the firm’s senior cyber advisory specialist Matt McCabe, echoing Raskin’s comment. “We’re in cyber risk management.”

When a company wants to buy cyber insurance, they don’t just fill out some forms, pay a premium and call it a day, McCabe said. “That’s just not how the industry works.”

Instead, companies work through an involved exercise as underwriters closely examine their cybersecurity setup and offer suggestions for improvement, something McCabe called, “the closest thing I’ve seen to a deposition outside the courtroom process.”

Insurers typically stay on top of their clients afterward to promote good cybersecurity practices, McCabe added.

A dearth of information

A key challenge facing the industry is data.

“There’s a paucity of information” about cyberattacks on private companies, noted Suzanne Spaulding, the Homeland Security Department’s undersecretary for the National Protection and Programs Directorate. Companies just don’t want to talk about cyber incidents unless they absolutely have to (when hackers take information public, as happened with Ashley Madison and Sony Pictures, or when the release of personally identifiable information renders the company legally obligated to disclose a breach), Spaulding said. Underwriters are left with a big knowledge gap as they try to figure out the type, frequency and severity of cyber threats.

BitSight Technologies is one of the private assessment firms filling that gap, giving companies security ratings on a 250-900 scale, much like FICO scores relay the risk associated with lending to individuals.

“Cyber insurance is harder in many respects than traditional risk insurance, in part because the historical data hasn't been aggregated but also because there's less certainty about the effectiveness of ‘best practices,’” noted Jake Olcott, BitSight’s VP of business development.

Third-party assessors like BitSight probing company defenses from the outside can help insurers know the risk they’re taking on, and help companies understand how well they’re defending themselves (or how poorly; of the six industries BitSight tracks, two average “basic” security levels and four average “intermediate,” with only the finance industry topping 700 on average).

But Olcott said the government still needs to play an important role, “providing more information, more data for those underwriters.”

DHS’s Spaulding promised to help, plugging the department’s Cyber Incident Data and Analysis Working Group.

Geared at gathering private sector cybersecurity incident data into one, shareable database, CIDAWG released a new cyber insurance white paper on Sept. 14, Spaulding said.

Incident reports coming to DHS will be anonymized and companies will face no liability for sharing information, Spaulding pledged, adding that her “cyber ninja warriors” have been working to ensure the information sharing setup is as secure as possible.

“We really want to incentivize information coming into one place,” she said.

According to Olcott, McCabe and other industry veterans, that data repository could prove invaluable for the nascent cyber insurance marketplace.