Lack of incident response holding back cyber insurance market by Craig Carpenter
Cybersecurity needs “virtual sprinkler systems” to help tamp down risk
The hottest topic in the insurance world today is cyber risk insurance, or coverage for the response to and fallout from cyber crime and breaches. As Reuters recently highlighted, the cyber insurance market is set to double in 2014 over 2013 – heady times indeed for a traditionally slow-growth industry in search of new markets. The need for cyber insurance has never been more acute, with numerous, massive incidents at companies like Target (whose CEO subsequently lost his job) and eBay, as well as government agencies including the Office of Personnel Management.
Although these high–profile breaches have led to skyrocketing interest in cyber insurance, however, they have also highlighted a glaring weakness in insurance companies’ ability to price – and therefore offer – such coverage: the lack of incident resolution expertise, technology and processes among clients requesting coverage.
2014 has already been a banner year for hacking activity leading to major cyberbreaches, from the aforementioned eBay and Target breaches – a trend which hit fellow retailers Neiman Marcus and Michaels Stores – to the alleged Chinese hack into the U.S. government’s Office of Personnel Management’s systems. According to IDG, the first half of 2014 saw a 21% increase in data breaches over the same period in 2013. At this pace, 2014 will easily eclipse 2010 as the worst year on record for data breaches.
This has led to an explosion in interest in cyber insurance, helped along by widespread coverage of Target’s ability to cash in on the $100 million of “tower” cyber insurance coverage it carried into the massive breach of its point-of-sale systems – to the tune of $44 million in reimbursements through Q1 2014 alone. Inevitably, this led to two simultaneous and opposite reactions: among potential insured entities, the interest level in cyber insurance exploded as more companies sought to mitigate their own growing exposure to cyber breaches, while amongst insurers the Target example led to the sobering realization that they cannot effectively price cyber risk.
The cyber insurance market is being held back by a lack of maturity in two critical areas. First,insurers have an alarming inability to model client risk. Cyber insurance is so new there is almost no empirical data for insurers to use – and empirical data is the currency of insurance. Without this knowledge, it is virtually impossible for a policy to be priced accurately. This is akin to writing an auto policy without knowing if the driver is a 45-year-old professional non-drinker or a 21-year-old college student.
As it has always done with new policy types, the insurance industry will eventually build up enough empirical data to make risk modeling reliable. Getting there, however, will involve threading the needle between covering too much risk (thus losing money on overly aggressive policies) and eschewing manageable risk (thus allowing competitors to profit from one’s own timidity).
Second, insurers aren’t yet requiring clients to become prepared to deal with major breaches. As the Target board has come to realize, even a company with virtually limitless resources can be unprepared for a breach. For the insurer, this would be like writing a fire policy without requiring the client to have a sprinkler system. Why would insurance companies do such a thing? Because they approach the problem very much like their clients: that a breach is something to be prevented, not to be expected, detected and remediated quickly.
How can potential insureds and the insurance companies desperate to cover them with lucrative yet sensible policies find common ground? Three simple steps will go a long way toward achieving that end:
- Realizing breaches are inevitable, focus more on quick detection, response and remediation than prevention. The idea that a network – any network – is impenetrable simply no longer reflects reality. Prevention is obviously important, but what really minimizes exposure is speed of resolution with any incident. If Target taught us nothing else, it was that even a cybersecurity team of more than 300 that has spent “several hundred million” dollars on the latest protective gear can fail. Where the Target breach went from minor incident to major hack was in ineffective incident response: it took Targetweeks to shut down the breach, during which time tens of millions of user accounts were compromised.
- Require a full-fledged incident resolution team and process. Arguably the biggest weakness for most companies is their lack of knowledgeable talent in-house that can handle a breach’s aftermath. Without the right people in place working with a sound process vetted in advance, breaches will inevitably get worse. No insurer would write a commercial building policy without a building security team and response plan, so why treat cyber security any differently?
- Work with clients to develop best practices, starting with “mean time to response (MTR).” The development of sustainable health, fire, auto and life programs illustrates a tried-and-true path forward, namely working with clients to develop metrics to indicate particularly risky (or healthy or safe) behavior. By far the best way to minimize any breach is to detect and remediate it as quickly as possible. Although MTR is a new metric, it has already gained momentum as a quick way of gauging a company’s cybersecurity maturity.
Cyber insurance is ready to explode in the coming quarters and years as clients and insurance companies alike are clamoring for coverage. But the only way to unlock the market’s potential is for both sides to collaborate on the development of best practices, especially in the area of rapid detection and response. Without “virtual sprinkler systems” as standard features of any cybersecurity program, cyberbreaches cannot be expected to be contained before major damage is done – an outcome no one wants to see.
ABOUT THE AUTHOR
Craig Carpenter is the Chief Marketing Officer at AccessData. Prior to joining AccessData Craig was VP of Marketing and Business Development at Recommind where he pioneered and popularized predictive coding and predictive information governance into the hottest trends in the e-discovery and GRC markets, respectively. Before joining Recommind Craig led the global field and channel marketing teams at network security leaders Mirapoint and Fortinet (NASDAQ: FTNT). He has also taught graduate-level courses at the University of San Francisco in digital rights management and high-tech marketing. Craig believes the key to success is always maintaining a high-integrity, customer-centric focus.