I read Rami Sass’ recent piece here on Podium about how cyber insurance is overhyped. While he raised great questions about the current pricing models and fear-driven tactics used to sell coverage, I wanted to share a different perspective and address his concerns.
Insurance exists because of insecurity in the world — health insurance in case you get sick, car insurance in case of an accident, homeowners insurance in case of a fire. The biggest insecurity businesses face today is cyber risk — phishing attacks, data breaches, social engineering, and more.
In fact, cyber experts believe that all businesses will at some point experience a cyber attack. This is not a question of if they’ll experience a cyber attack, but when. A 2018 report from Inc and Cisco found that 60 percent of the small- and medium-sized businesses that are hacked go out of business within six months. Breaches of well known companies may dominate the headlines, but SMBs are facing the largest risk, since an attack can mean the end of a business.
It’s not just hype — the demand for cyber insurance is rising. The sector is expected to reach a $7.5 billion valuation by the end of the decade. Cyber insurance is the most viable way businesses can protect themselves and remain resilient from the damages and costs that come with an attack.
Don’t get sold on cyber security companies
Rami argues that “cyber insurance may not be the straightforward and comprehensive solution that companies may think it to be.” Unfortunately, the same could be said of cyber security tools.
The security industry is targeting cyber attacks, with companies spending over $100 billion annually on security software. But, in just a few years, the losses from cyber crime are estimated to rise to $6 trillion. The gap between those two numbers should not be so large. One report even found that 74 percent of cyber crime victims don’t even know how they were breached.
Something must be done to protect these businesses. Software companies have played on business owners’ fears, peddling technology that creates a false sense of security. Companies are increasing their spending on security, but not reducing the risk. The truth is, no single piece of technology can prevent a cyber incident. Instead, you need to align financial incentives, and that’s where cyber insurance comes in
Unlike security software providers, insurers’ incentives are directly aligned with their policyholders since the insurer pays out in the event of a loss. In this way, companies gain a true risk management partner, rather than just more software. With continuous intelligence on the entire risk ecosystem, cyber insurance companies are making protection for businesses easier and more accessible, while making things more difficult and more expensive for attackers.
Data determines pricing
Rami argues that insurers need to improve pricing, data collection, risk mitigation, and education, but in each of these fields, the industry is working to make cyber insurance more accessible.
Rami writes, “There frankly is not yet enough data out there on the real costs involved in a data breach to help actuaries properly price their products.”
But this data collection process has completely shifted with new approaches to underwriting. Traditional underwriters often require companies to fill out up to 25 pages of highly technical forms, which is inefficient and tells insurance companies little about the risk that companies actually face in the cyber realm.
However, leading insurance companies are using friendly hackers and cyber experts to approach the underwriting process and determine a company’s risk profile. In addition to utilizing cyber experts’ knowledge, companies are collecting large amounts of data on a policyholders’ network and security architecture. This allows insurance companies to build a body of knowledge around cyber risk and improve the accuracy of pricing well beyond what they could do with paper forms.
Insurance mitigates risk
In addition to insurance coverage of costs associated with an attack, cyber security companies are also offering risk mitigation tools to protect companies before and during an attack. This is where aligning financial incentives comes in.
Rami argues, “Perhaps if cyber insurers begin to offer incentives to organizations that educate their teams […] we may yet see a valuable improvement in preparedness across a wider range of companies.”
Yet, leading insurance companies are providing policyholders with the right software and systems to protect their business and prevent a breach. In the event of a breach, some insurers also offer incident response services, like a team of security experts that work immediately to mitigate damage and restore stability. These risk mitigation tools are paired with education around how cyber attacks occur and how they can be prevented. As companies learn from cyber insurers what causes cyber attacks, they will begin to self-regulate their behavior to prevent breaches.
Cyber insurance today is the health insurance of tomorrow. The growth of cyber insurance will lead to self-regulation of the way companies handle data. In various industries, insurance companies require policyholders to follow certain rules in order to maintain a policy. When insurance is a necessity, this translates into self-regulation of the way people or businesses act. As cyber insurance is used more widely, more companies will change the way they handle data in order to meet policy requirements and mitigate the chance of an attack.
Insurance companies are paying claims
The ultimate reason for companies to hold cyber insurance is to be protected financially in the event that they experience a security incident. Rami highlights the controversial example of Zurich Insurance denying Mondelez’s claim for damaged property. This example is the source of much debate in the insurance world, and it remains to be seen whether Zurich will even be able to prove the act of war exclusion.
However, many other insurers have paid out material claims for cyber attacks. Equifax reported that $125 million of the $439 million costs for its massive 2017 breach were covered by insurance. Target’s insurance policy also covered a substantial portion of its losses from its 2013 breach.
Given the existential threat that cyber attacks pose to small businesses, cyber insurance is a necessity. Businesses will at some point be a victim of a cyber attack and a cyber insurance policy, rather than cyber security, is best fit to prevent an attack from ending a company.