In the aftermath of the Equifax data breach last year that exposed personal information of more than 145 million people, analysis firm Property Claim Services estimated that cyberinsurance would cover roughly $125 million of Equifax’s losses from the incident. It’s uncertain whether Equifax will actually receive that much money; insurance claims can take a long time to investigate, process, and pay out. But it was a reminder of the increasingly important role insurance plays in cybersecurity—and the challenges of getting it right.
In 2016, the cyberinsurance market brought in around $3.5 billion in premiums globally, of which $3 billion came from US-based companies, according to the Organisation for Economic Co-operation and Development. That’s not an enormous amount of money compared to other insurance markets; motor vehicle insurance premiums in the US, for instance, total more than $200 billion annually. But cyberinsurance premiums have grown steadily at a rate of roughly 30 percent every year for the past five years, in an industry unaccustomed to such spikes.
‘The worst data is probably in cyberinsurance.’
Nick Economidis, Beazly Beazley PLC
With the European Union General Data Protection Regulation poised to go into effect May 25, and firms of every size in every sector concerned about emerging online threats, insurance carriers see ample opportunity. But as the cyberinsurance market grows and those carriers take on responsibility for more computer-based risks, it becomes increasingly important that they model that risk and predict its outcomes accurately, a notoriously difficult task in the evolving and unpredictable domain of online threats.
Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years’ worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk.
“Typically in insurance we use the past as prediction for the future, and in cyber that’s very difficult to do because no two incidents are alike,” said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors.
The constantly changing threat landscape isn’t the only challenge cyber underwriters face. Since many companies don’t have cyberinsurance, lots of incidents go unreported every year, making it more difficult to reliably estimate the frequency or costs of such events.
“If you’re writing policies for personal automobile or personal homeowners insurance you definitely have a lot of really good data. The worst data is probably in cyberinsurance,” said Nick Economidis, a cyber liability underwriter at Beazley PLC.
In other areas of insurance, such as earthquake or flood coverage, carriers also make sure to diversify their customers, for instance by spreading them out across different geographic locations in order to avoid being overwhelmed by simultaneous claims. The cyberinsurance industry has attempted to diversify by adding clients of various sizes in different industries. But last summer’s NotPetya ransomware attack did not discriminate based on sector or company size, causing well over a billion dollars in total damage across shipping, pharmaceuticals, and more. So now, carriers try to diversify among cloud providers, web hosts, software dependencies, and operating systems, Bailey said.
That, too, could prove challenging. While vulnerabilities like Heartbleed and ransomware like WannaCry—along with the recent Spectre and Meltdown flaws in Intel chips—don’t appear to have resulted in large cyberinsurance payouts, they show just how pervasive cybersecurity issues can be, and the inherent risk of simultaneous claims from many of a carrier’s customers.
As they struggle to assemble a diverse risk portfolio, many carriers have also partnered with security firms to provide their customers with a more standardized and, they hope, more resilient set of technologies to protect their digital assets. Allianz recently announced a partnership with Aon, Apple, and Cisco, through which customers could receive “enhanced” cyberinsurance policies from Allianz—including lower deductibles and coverage for hardware replacement costs—if they also use the assessment tools, security technologies, and breach response services provided by the three other partners. It’s a similar dynamic to a health insurance company offering discounts for in-network providers.
The Allianz partnership is unique in offering lower deductibles and additional coverage to customers who adopt specific technology partners, but carriers and security firms often partner up to offer discounted or free services security for policyholders. A Chubb cyberpolicy, for instance, can come with preferred rates from CrowdStrike and FireEye, while XL Catlin partners with Clarium, Venable, and NetDiligence, among others. Zurich provides customers with access to Deloitte cybersecurity consulting services.
Those partnerships aren’t just added value for customers; they can help relieve carriers of some of the technical burden of auditing a company’s IT security when deciding whether to cover them.
“We really don’t have the time to evaluate everyone’s technology, nor are we sure that we are qualified to do that,” Economidis said. “It doesn’t seem to fit our expertise and becomes a business distraction for us.” Instead, most carriers rely on written questionnaires submitted by potential customers about their security practices and incident response processes, though that information is often filtered through an insurance broker and is not always reliable.
‘We haven’t developed the algorithm that correlates what technology they’re using and what their premium should be.’
John Coletti, XL Catlin
By partnering with Aon, which provides its own cyber-resilience evaluation service, Allianz hopes it will be able to more thoroughly—and continuously—assess its customers’ cyber-risk profiles. Similarly, the carrier believes that encouraging its clients to use Apple devices and Cisco security tools will drive down the number and size of claims from its customers, especially small and medium-sized businesses without the resources to invest heavily in their own bespoke security solutions.
And yet empirical evidence for the effectiveness of preventative security controls is surprisingly hard to come by in the data-driven world of insurance.
“From a cost perspective it helps to have a pre-negotiated rate with vendors, but on the prevention side I wouldn’t say that we have data to suggest that the money that we have spent or our customers have spent on prevention partners has improved the security performance,” XL Catlin chief underwriting officer John Coletti says. “We haven’t developed the algorithm that correlates what technology they’re using and what their premium should be.”
Sasha Romanosky, a researcher at RAND who studies cyberinsurance, said that even if carriers don’t necessarily know which technologies will make their customers most secure, there may still be advantages to partnerships that ensure greater consistency across their clients.
“The carriers don’t really know the answer to what characteristics to what makes a firm or group of firms vulnerable, and what insurance carriers would do with that is diversify their portfolio,” Romanosky says. “But on the other hand, if every carrier requires that everyone use the same firm it creates consistency and a lot of what we want right now is standardization in assessing and reporting and presenting and mitigating cybersecurity risk. There are advantages of uniformity.”
Even as they work to impose some uniform risk management practices on their customers, insurers, too, are moving towards more standardized, consistent offerings across firms—particularly when it comes to the size and scope of cyberpolicies—in an effort to keep up with their competitors. At the same time, insurers like Allianz, are experimenting with industry partnerships in low-risk efforts to distinguish themselves. The major cyberinsurance milestones and innovations so far have been characterized by that caution—partnerships with well-established, big-name firms that have little or no impact on customer premiums or policy coverage.It’s a slightly timid race to grab bigger pieces of the growing cyberinsurance market, since the insurers themselves are all keenly aware of how tenuous their grasp is of cyberrisk and its potential costs.