A Market Is Born. Cyberinsurance doesn’t need a government backstop by Elli Lehrer
In 1988, Robert Tappan Morris, then a graduate student at Cornell University, decided to write a computer program to measure the size of the still-nascent Internet. Morris’s effort, a cleverly written bit of code that exploited security weaknesses, quickly spread through the computer network, bringing many systems to a halt by copying itself endlessly.
Within hours, a portion of the Internet had simply stopped functioning. Professors lost days of work. Emails went undelivered. Machines took days to disinfect. Morris’s caper made the front page of the New York Times, and he became one of the first people convicted of a computer crime under federal law.
Today, a handful of office buildings in any major downtown contain as many connections as the entire Internet had in 1988. An attack that literally brought down much of today’s Internet, as Morris’s did, would be devastating.
But the attacks we do commonly see, and which frequently make headlines, have taken on a very different character. Major data breaches have rattled the stock prices of firms like Target, which reported more than $252 million in damages from its 2013 breach. Sony Pictures Entertainment suffered a 2014 breach that U.S. officials say traced to North Korea, possibly in protest of the movie The Interview (a satirical depiction of the assassination of Kim Jong-un). More recently, Ashley Madison, a website for affair-seekers, was hacked by a group claiming to be disgusted with its business model.
Sony canceled the theatrical release of its movie, and Ashley Madison’s CEO resigned. But thus far, the sort of catastrophic, system-wide failure that we saw in 1988 has not yet come to pass. The last worm sufficiently widespread to slow the entire Internet was Sobig.F in 2003. Indeed, as software and operating systems have diversified and real-time updates have made it easier to distribute security patches, fast-spreading worm and virus attacks like Morris’s are becoming less common.
Which is not to say that cyber risk isn’t an issue to confront. The German insurance firm Allianz estimates the United States has suffered more than 5,000 data breaches over the past decade, at an average cost of $3.8 million each. Insurance companies have noticed. Changes made in May 2014 by the industry advisory firm ISO (Insurance Service Office, Inc.) to the commercial general liability policy included much broader exclusions of the kinds of cyber risks that standard policies used to cover. Instead, companies are having to buy separate cyberinsurance policies in what’s called the “stand-alone” market.
The current market for cyber insurance is estimated to be about $2 billion, with the largest policies covering about $500 million of risk. It is a fast-growing market, with predictions it could triple in size over the next seven years. Nearly 80 percent of insurance executives surveyed earlier this year by the Insurance Information Institute, a trade organization, said cyberinsurance is a growth field.
But for some, that growth has not been fast enough. In a report last month, the Federal Insurance Office estimated that current market risks require policies with coverage limits of at least $1 billion, twice what’s currently available. And industry-watchers are beginning to hear calls for a new, much-expanded government role in cyber risk that might include a federal “backstop” to pay large claims. At least two congressional offices are working on bills on that topic.
There are major reasons to be suspicious of efforts to increase the government’s role in cyberinsurance. The market, though relatively small, is working fine—it’s growing and companies offering the coverage are fully solvent. Moreover, insurance is just one way to manage risk, and it isn’t the proper role of the government to prescribe that it be the only way. Finally, the nature of the risks seen in the market thus far are not of the “systemic” variety. Hasty action to insert government into this area would almost certainly do more harm than good.
Some of the current flaws in the market for cyberinsurance come simply from a lack of experience. As with any new risk, it takes time for insurers to develop mathematical models and gain experience that let them price their policies appropriately. As a result, the terms and conditions of policies now offered, and the premiums demanded for those policies, can vary greatly based on the size and nature of the business and the appetite of the individual insurer. While a small firm seeking a general liability policy might find that all firms offer essentially the same coverage and have prices that differ by 15 percent, it’s not uncommon to find 50 percent variances in price and vast coverage differences in the cyberinsurance marketplace.
That market will continue to develop, particularly as the industry and its advisers find ways to share and pool information. But even as it does, the decision about whether and how much cyberinsurance to purchase ultimately will be left up to individual firms. Unlike terrorism risks—for which there is a $100 billion federal backstop—insurance for cyber risks is almost entirely voluntary. Terrorism coverage is needed for commercial property, and is required by lenders, and for workers’ compensation, which is required by law in almost all states. Whether to transfer cyber risks to insurers, retain those risks, or invest in better security is a question for individual firms to decide.
Not only isn’t cyberinsurance a requirement for most forms of economic activity, but there’s little evidence that cyber risks are “systemic” in a sense that would justify government intervention. Systemic risks are those that affect all or nearly all segments of the economy at once. Cyberattacks overwhelmingly target individual companies or try to steal individuals’ financial information.
One can’t entirely discount the possibility of “tail risk,” or “black swan” attacks that are so large they bring down significant portions of the Internet all at once. These have drawn the attention of some highly respected insurance industry figures, such as Stephen Catlin of XL Catlin. Since so much vital infrastructure—including the power grid—is tied to the Internet, a true “systemic failure” would be devastating to the economy as a whole.
But the kinds of Internet-wide attacks that are easiest to conceive would require physical destruction of infrastructure. If committed by private actors, these would be terrorism, and would be covered by a combination of public and private insurance programs. If they are instigated by state actors, they would be acts of war, which has never been an insurable risk. To be certain, if China or Russia were to launch a full-scale attack on America’s Internet infrastructure (even one carried out entirely by hackers), there would indeed be a federal response, and it’s one that doesn’t require any government involvement in the cyberinsurance market.
We should watch carefully as this market develops and avoid doing the kinds of things that could create moral hazard or discourage private efforts to improve cybersecurity. Doing so would leave the country even more open to catastrophic attack. There may also be a governmental role in encouraging big companies to audit and secure their information systems, just as they do their financial controls. A still nascent effort to build a system for cyberinsurance similar to bond rating might also benefit from some encouragement and coordination.
But for now, the burden of proof that we need additional government intervention in the cyberinsurance marketplace, much less a partial takeover of the market through a backstop, should remain squarely on those asking for it.
Eli Lehrer is president of the R Street Institute.