The cyber insurance market has been compared to other insurance markets like commercial liability, fire, flood, catastrophe, and terrorism. For the most part, these analogies are an attempt to forecast and map the growth of the cyber insurance market as it approaches maturity, and determine whether government intervention would be helpful. We’ve explored the relationship between the cyber insurance market and terrorism insurance, and the view that cyber insurance will require a federal backstop like the terrorism insurance market has in TRIA/TRIPRA. Fire insurance has also been used as an analogous market, with the hope that as cyber insurance becomes more common, insurers and customers will determine standard protective measures, like sprinkler systems for fires, that can be implemented across industries to reduce fire risk. However, while general guidelines like using firewalls, implementing two-factor authentication, and providing training to identify phishing and social engineering are implemented broadly, security infrastructure varies broadly both within and between industries, and there is no “industry standard” set of cybersecurity equipment upon which insurers can insist.
Flood insurance is an example of a market not perfectly served by the private sector: many insurers do not offer flood insurance because those who would want to purchase flood insurance are identifiably at risk, and it is impossible to adequately spread risk between high- and low-risk populations. In some ways, this is similar to cyber insurance: businesses that store PHI, for example, are usually identifiable (they are health payers or providers, for example) and they are at risk because of the value of that information. On the other hand, the ability of cyber insurers to spread their client populations across industries, and the fact that nearly all businesses store some type of valuable customer information like payment card information, means that risk can be spread somewhat. Additionally, while a flood is very likely to lead to a total loss of a home and all the belongings in it, a data breach is unlikely to lead to a total loss of business operations.
Catastrophe insurance often includes flood insurance, and is designed to insure against low-probability, high-cost events that are usually excluded from standard hazard insurance policies. Some types of cyber insurance are similar to catastrophe insurance, and large deductibles mean that cyber insurance policies are usually only called upon in the event of large, costly breaches. Reinsurers are important to this market, because they help spread risk between insurers, and cyber insurance is also seeing an active reinsurance sector. A primary way in which cyber insurance differs from catastrophe and flood insurance is that the majority of cyber insurance claims involve insider activity (whether malicious or accidental, such as the loss of an unencrypted laptop with PHI on it). Natural disasters hardly ever involve “insider threat”-like behavior.
A recent publication by the Department of Defense, titled Cyber Analogies and edited by Emily Goldman of Cyber Command, provides analogies relevant to cyber warfare and cyber security. These also provide, by extension, analogies to the types of insurance involved in other incidents, like Pearl Harbor. Many of these analogies take into account the near-100% chance of cyber breach, and insurance as intended to reduce the impact of an adverse event. In this view, the analogy between cyber insurance and catastrophe insurance underscores that, while the tools of cyber attacks are man-made, the timing of their occurrence is as unpredictable as natural disasters.
Join the conversation on Medium