I read this post last week about expectations on cyber insurance shaping the future of cyber security. At one point, I had the same view: there is a strategic advantage to a company, or an insurer, to develop optimized models on cyber security investment. I’ve come to accept that, like forecasting the weather, there are just too many variables in IT for such a construct to take hold, at least for the foreseeable future. Reports I read about cyber insurance typically cogitate on 3 things:
- How is the nebulous concept of “loss” from an cyber security event get calculated? Some losses can be huge. Where does the line get drawn?
- Partly because of #1, and partly because of the difficulty in predicting the rate at which cyber incident-related losses will happen, cyber insurance carriers are very likely carrying a lot of risk.
- Insurance companies are going to drive security discipline in their clients through variable rates, or withholding coverage, based on the clients’ hygiene.
Worry over the health of cyber insurance companies due to the perceived dual unknowns of loss magnitude and frequency seems misplaced, because insurances carriers do not offer uncapped damages in their policies, at least that I am aware of. Indeed, the caps are relatively low, and the premiums are quite expensive. Given that, insurers shouldn’t need to define loss rates or magnitudes with significant precision to avoid losing money overall – they just need to make an assumption about how many clients will file a claim in a given year and set premiums accordingly. Even then, carriers cover themselves through their own policies with reinsurance carriers.
Now things will get interesting is when/if the cyber insurance market becomes highly competitive and carriers are competing on premium rates. I expect that we will indeed see carriers trying to drive hygiene of clients, and to some extent, we are seeing this already through various partnerships between cyber security companies and some insurers, though I expect that is more a statement about the smooth sales pitches of those security firms, rather than necessarily a significant need of the carriers. In the US, at least, Progressive Insurance offers customers a discount on auto insurance if they are permitted to monitor the driver’s behavior through a device that plugs into the car’s ODB2 port. I can see a cyber equivalent, though I am not sure exactly what form it will take. And to be honest, I am not sure how helpful the data would be in measuring the likelihood of a company being breached.
Net: don’t cry for insurance companies; don’t expect insurance companies to deliver the IT industry from our breachy ways.
I saw several posts this week about Ponemon’s latest survey on data breaches. I still contend that they are not very helpful for prioritizing security programs because they are non-statistically valid, backward looking, subjective opinion surveys. So why do people pay Ponemon to do them? It hit me this earlier this week: Ponemon reports, and reports like Ponemon, are not intended for infosec people. They are intended to help infosec vendors understand the buyers of their wares. I suspect most of the rest of the world already recognized this, but I am not always the sharpest knife in the drawer.