The incentives for cyber risk valuation fall disproportionately on insurers; customers are usually shielded from both the information necessary to make the appropriate judgments of where to entrust their personal information, and from much of the risk when that information is used for fraud, due to credit card agreements and personal identity monitoring services. Researchers from Virginia Tech aim to change the market incentives for valuing cyber risk, and published a paper recently, outlining their plan. While highly theoretical, the paper suggests the creation of a market for cyber risk arbitrage that allows individuals (and, likely, supply chain partners) to evaluate and bet on the cyber security of companies in which they have other interests, such as financial or customer relationships.
This proposal implies that the current cyber insurance market is not functioning correctly: that insurers have too little information with which to value risk, and therefore charge premiums that are too high for most potential customers. The R Street Institute, a think tank that researches cyber insurance, argues that the cyber insurance market is functioning well in its current state. They cite research by insurance broker Marsh Inc that premiums have fallen in the highest-risk industries, while business is growing.
Anecdotally, I’ve heard from companies who have never used their cyber insurance policies because the deductible is so high (an example is a healthcare provider, who sees their policy as only for catastrophic cyber incidents) and a tech company that submits claims to their insurer so frequently they are receiving payouts that exceed the cost of their premiums. The cyber insurance market is so new partially because the standard ISO form insurers use for general liability policies was revised in 2014 to specifically exclude certain cyber risks that now must be purchased as standalone policies. As companies had to purchase these policies for the first time, the market faced a great deal of uncertainty as to which companies would purchase standalone cyber insurance, and what terms would be most attractive to these new customers.
Another area in which market forces may be insufficient is the evaluation of the security and effectiveness of commercial cybersecurity products. Companies who are not themselves in the security business but purchase cyber insurance are also relying on their third-party vendors and on commercial cybersecurity products to protect them, often without being given any access to the code of those products, the testing process their software undergoes, or how certain firewalls or antivirus products perform in a head-to-head contest against other products in the same category. Cyber insurers would also like to have this information, but it may take the intervention of the FTC or NIST to perform the function of a “cybersecurity FDA” and evaluate the claims made and effectiveness of commercial cybersecurity solutions. Could insurers as a group be a sufficient force to advocate for the formation of such an organization?
Join the conversation on Medium