Learning from Cyber History

By Shawn Dougherty November 24, 2014

I graduated from college with a degree in history. During my freshman year, one of my favorite professors stated something that remains with me to this day. He said there are two types of people in this world: There are those who believe history is linear, it doesn’t repeat itself, and things happen for a reason. Then there are those who believe history is circular and that people who don’t learn from the past are doomed to repeat it.

Regarding the “history is circular” position, in my opinion, no one knows that better than those who work in insurance and risk management. The problem with cyber insurance, however, is that learning from history has become a major challenge.

Part of the reason is that cyber risk is constantly changing. Hackers continually develop new targets and new ways to attack and adapt quickly as technologies change. There’s also the reality that cyber criminals work in secret, stealing and selling our personal information often without us ever knowing. But perhaps the biggest problem is really what happens after an attack.

Businesses are often reluctant to share details about their data breaches. They could be afraid of losing the trust of customers whose personally identifiable information was entrusted to their care. They could also be worried about how investors will react and, if their stock price drops significantly, the possibility of protracted litigation. Whatever the reason, the federal government and state regulators have noticed the trend.

The lack of data was discussed at a meeting of the National Association of Insurance Commissioners (NAIC) Center for Insurance Policy and Research in March. An article in the NAIC’s newsletter said insurers have been forced to look carefully at a company’s cyber security culture and the measures that staff take to keep the company cyber-safe. But without data, how are insurers supposed to know how effective those security measures are at reducing risk?

To address the situation, last week the NAIC formed a special task force to help coordinate insurance issues related to cybersecurity. According to their press release, the task force will make recommendations and coordinate NAIC efforts regarding:

  • the protection of information housed in insurance departments and the NAIC
  • the protection of consumer information collected by insurers
  • the collection of information on cyber-liability policies issued in the marketplace

The first two charges of the task force are critical: If insurers can’t protect their own data, why would businesses buy cyber insurance from them? But it’s the third task — that of collecting information from the cyber insurance marketplace — that I’m excited about. After all, it’s only by learning from the past that we can see the industry develop in the future.

If you want to enter the cyber insurance market or learn about any of ISO’s various cyber insurance product offerings, visit the ISO Cyber Risk Solutions website, www.verisk.com/cyber, or e-mail me at sdougherty@iso.com. You can also follow me on Twitter @doughertyshawn.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.