In the first article in this series, "Cyber insurance: Black Swan or Golden Goose?," we discussed the evolution of cyber risk insurance products and the challenges of scaling existing solutions to meet the needs of small- and medium-sized enterprises (SME). In this article, we conclude the discussion, focusing on key data elements and sharing information within the industry to quickly enhance product and service capabilities.
Data that divides
An essential element to underwriting any type of risk—whether property, liability, or cyber—is the collection of exposure information to clearly define and segment types of risk. Even so, cyber risk in general represents a new frontier. What information provides the sharpest insights and associated variables that segment operations and helps insurers better understand the likelihood of a breach?
In the commercial property space, we use a system that reviews the key areas of information on a building or property that underwriters require to accurately write a policy. In the case of cyber, we need a similar system focused on the three key areas of information needed to support cybersecurity underwriting and decision making: culture, protection, and exposure.
A common theme among many businesses that have overhauled their cybersecurity practices is culture change. That transformation very often starts at the top, with C-level executives integrating secure cyber practices within the workforce and bringing cyber risk to the forefront of operational strategies. A resilient culture may be difficult to define, but it's arguably one of the best measures to help prevent a cyber loss event or mitigate losses from outside attacks.
More than half of all cyber attacks in 2013 were the result of employee negligence, according to Infosecurity magazine. That number has declined, in part due to other forms of attack but also because of stringent policies and education programs instituted within many large companies.
Analyzing the exposure of a commercial business introduces challenges not necessarily present in more traditional lines. First and foremost is sourcing the data. Although IT departments usually aren't involved in the insurance purchasing process, they're often the first-and possibly only-line of defense when it comes to cybersecurity.
Many SMEs outsource much of their IT services to vendors. Facilities managers may not know information about the mail server host or SSL certificate. Understanding the value of the data and assets that employees collect, store, and analyze is also highly important. "Thinking like a hacker" allows a business to consider data and web-facing assets with a view of what's most vulnerable, what needs additional protection, and how to prioritize resources to help ensure more secure operations.
The last piece of the puzzle involves data related to types of protection, or security, used by an operation. This information includes security protocols and employee access to records, software, and freeware along with levels of security within cloud platforms accessed by operations. This data is usually the most difficult to capture and evaluate.
Each of these three categories speaks directly to workforce considerations when devising and launching a cybersecurity strategy. It's crucial to remember that purchasing cyber insurance doesn't equate to practicing cyber risk management. It's merely part of a larger process. Insurers that are able to gather the most information, evaluate and categorize it appropriately, and devise a product to serve the many unique segments will likely be successful. This means that traditional segmentation, by geography or SIC code, will likely not suffice. We may find that the primary segmentation categories will be e-commerce revenues, cloud-computing vendors, or a number of web-facing devices.
In addition to the challenges presented in gathering the key cybersecurity information, the insurance industry as a whole also currently struggles with sharing and communicating intelligence among peers. This often puts many insurers at a disadvantage from the start. The hacker space is rife with knowledge sharing and communication, exposing vulnerabilities and strategies to attack systems and improve attacks through phishing, malware, and ransomware. At present, the insurance industry lacks a central source of claims and loss-related information to help level-set the ratemaking process, which can have repercussions up through the reinsurance sector largely due to a lack of aggregated knowledge and loss experience.
One potential solution involves regularly disclosing cyber insurance data as part of statistical reporting. The federal government (including the Department of the Treasury, the Department of Homeland Security, the Federal Insurance Office, and the White House Cybersecurity National Action Plan) has called for voluntary sharing of information from breach and security events to help expedite understanding of the current threat and establish resources to address vulnerabilities. The insurance industry has a long and successful history of sharing policy and claims-related data to help improve market conditions and performance in more traditional lines, and it's likely that this same practice can benefit the cyber risk insurance space.
Cyber risk presents a challenging environment for many insurers to operate in, primarily due to the dynamic risk and hazards, a lack of understanding of the vulnerabilities, and a lack of loss experience to build and standardize coverage and language. An opportunity exists for many insurers to work directly with their policyholders to educate, gather operational data (in the form of cyber COPE), and begin building product solutions that match the risk variations presented in different industries. Sharing data among peers, using third-party data experts, and devising new ways to serve customers can foster a cyber insurance market that helps meet the needs of businesses large and small.
Zack Schmiesing is director of thought leadership for commercial lines underwriting for Verisk Insurance Solutions. He can be contacted at ZSchmiesing@verisk.com.