Breaking the log jam - data for informed cyber-insurance

Opinion by Dr Mike Lloyd

The problem of cyber-insurance is lack of data for understanding risk: but third party technologies can measure and quantify the defensive state and breach risk of each organisation by using standardised, repeatable yardsticks.

Cyber-security is approaching an inflection point, where several major forces are combining to produce a much-needed breakthrough.  The reason why: cyber-insurance.

Cyber-insurance is hardly new. It's been around for years, and is growing, but has not yet matured out of the awkward early stages. What's holding it back?

The problem isn't lack of demand – organisations want to buy cyber-insurance.  After all, it's abundantly clear from news feeds that breaches are continuous, with many household names being embarrassed by losses affecting tens of millions of customers.

Nor is the challenge that insurers don't want to sell into this market – indeed, insurance companies thrive in risky, uncertain territory.  Lloyd's of London started out insuring losses due to shipwrecks or piracy - threats every bit as hard to predict and financially destructive in their day.  Many insurers do now offer cyber-policies, but they lack good data. They want to expand coverage, but they are challenged by the complexity of potential losses and the dynamic nature of networks and threats.

There's a second, subtle problem with the immature cyber policies currently on offer – lack of guidance.  For cars, the insurers know a great deal about features that make them safer or riskier, and they also know about driver behaviours that are more or less likely to lead to claims.  They can price the insurance to encourage better behaviour, and it works. Part of the reason our roads get safer every year is that insurers push car buyers who push car manufacturers towards ever safer designs. 

This hasn't happened in cyber insurance - yet.  When a company goes out to buy a typical cyber-policy today, they are asked to fill in a questionnaire about their organisation's security practices. I've spoken to people who fill in these questionnaires, and to the people who set them from the insurance side – neither believes they are really all that reliable.  (Imagine if your car insurance company just asked you, before you got a policy, “are you a good driver – yes or no?”  That would be ridiculous – they need some way to check.)

So, on the one hand, we have companies in fear of being the next front-page story of a breach who want to buy more insurance.  On the other, we have the insurers, who offer limited policies, because the risks are dynamic and complex and they lack data to understand.  Companies want policies that can cover huge losses at a reasonable price, but the insurers face serious unknowns, and so limit coverage until they have more information.

This pent-up demand has been sitting there, like a log jam on a river, waiting for the key blockage to be removed.  As I work with insurance companies in Europe and the US, it's clear from the inside that the breakthrough is very near.  All the insurers need is a little more data, about the actual security practices a company is using (analogous to car driver habits).

This is now happening, due to a collaboration between insurers, security technologists, and insured companies.  The insured companies do not want the burden or the commercial risks of exposing details of how they run their security, even to their insurers, but they do want the insurers to help guide their investments towards the choices with real ROI.  This is where third party technologies enter the picture. They can measure and quantify the defensive state and breach risk of each organisation by using standardised, repeatable yardsticks.

For security practitioners, the take-away from all this is to watch closely as the insurance market heats up, offering stronger policies with more financial incentives available to those who can demonstrate superior security practices.  It gets a lot easier to communicate about security to the business when the CFO is hearing from the insurance broker about the discounts they can receive for investing in better security! 

Dr Mike Lloyd, CTO, RedSeal

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events