There's no easy way to set cyber insurance rates.
As data breaches become increasingly commonplace—while remaining potentially catastrophic—organizations are looking to the insurance industry to help insulate them from the potential fallout of a breach like the pair at the Office of Personnel Management that together affected more than 22 million people.
But the young cyberinsurance industry suffers from a lack of the data it needs to accurately predict the risk of a breach, leaving it without an easy way to set insurance rates and keeping it from reaching the mainstream.
To help improve the data needed to understand risk and set rates, the federal government is bringing together insurers and companies to consider how to share more information about breaches.
The main obstacle to creating an accurate and complete database that reflects the landscape of cyber threats is the tendency of businesses to want to keep network breaches and data-loss incidents to themselves.
Unless companies are required by law to report a breach—as they generally are when a breach results in identity theft, for example—they have an aversion to sharing information about cyberattacks with other businesses, the government, or the public, in order to protect their reputation.
But because of the instinct to keep quiet about incidents, there is a lack of actuarial data about the risks of data breaches that is hobbling the cyberinsurance industry.
“You have to be crazy to underwrite right now because you don’t know what’s a wise way to set premiums,” said Costis Toregas, associate director of the Cyber Security Policy and Research Institute at the George Washington University.
“Basically, it’s a crapshoot,” Toregas added. “It’s throwing darts at the wall to try to establish rates.”
One possible solution to the data problem would include the government. The Department of Homeland Security is bringing together organizations—including insurers and private companies—to discuss setting up a “third-party repository” for cyberincident information.
Such a repository would take in anonymous reports and make them available to the public, so that insurers, other companies, and researchers would have a better sense of the frequency and scale of cyberattacks, said Suzanne Spaulding, under secretary for the DHS’s cyber arm, the National Protection and Programs Directorate.
“What are the kinds of information that a company might be comfortable providing—again, without attribution to the company—and that would be useful, both for understanding the nature of the challenge we’re facing, but also for insurance folks to begin to develop products that could help promote safety?” Spaulding asked during a cyberinsurance event at the Center for Strategic and International Studies last month.
Such a repository is inching towards reality. A DHS working group dedicated to cyber incident data published a white paper last month with 16 data categories it proposed for the repository. The categories include a timeline of the incident, its severity, the apparent goals of the attack, the assets affected or compromised by the attack, and the cost of the breach.
Without this data, the only option available to insurers is coming up with a computer model to predict cyber risk, a field which Toregas says is “totally at its infancy.”
But the need for cyberinsurance is high and growing, and not just to protect companies from the often disastrous effects of a breach.
“The underwriting process itself can bolster cybersecurity,” said Treasury Under Secretary Sarah Bloom Raskin at the CSIS event. “To qualify for cyberinsurance, a business typically fills out an application seeking details on its risk level and controls that mitigate the risk—the act of engaging in this process helps businesses identify tools and best practices that they may be lacking.”
For now, the size of the cybersecurity insurance market remains a fraction of its potential.
“The unlocking of the potential market into the hundreds of billions of dollars will happen when they either develop a comprehensive kind of statistical base of losses, or some strong models that can tell them with some level of confidence, ‘I predict that if you do the following five things, your losses will be lower than the other guy who had only four of those things ticked,’” said Toregas.