In some ways, there's never been a better time to be an insurer: every business wants cybersecurity insurance, and the market is willing to tolerate crazy annual premium hikes — 30% a year for the past five years!
But there's a reason for this craziness: the potential risk to cybersecurity insurers is nearly unquantifiable and virtually infinite: think of being the insurer holding the bag if Facebook gets sued or fined for a couple billion dollars for the Cambridge Analytica scandal.
Companies have blithely collected and warehoused potentially compromising personal information as though it was nearly harmless, meaning that today, as the no-win/no-fee contingency bar is trying every possible tack to force companies to pay the full cost of their breaches, the companies doing the breaching don't know what they've collected, where it is, or how it's protected. They don't know if it's been stolen and they don't know what to do about it when they discover that it has been. They sue and threaten security researchers who warn them about holes in their security, or merely ignore them — and hope that this never comes to light when they're in front of a judge or a lawmaker arguing that their breaches weren't the result of negligence.
So insurers are racking up higher and higher premiums and crossing their fingers, and trying all kinds of gimmicks to get the companies they're underwriting to clean up their acts, like offering discounts on their premiums if they buy auditing and security services from a few giant companies.
My prediction is that one of these companies is going to get hit for a big judgment, like, say, 1% of the total real-estate holdings of everyone whose data their breached (on the theory that 1% of those in any breach will eventually have their houses stolen by identity thieves forging duplicate deeds using information from that breach, combined with other breaches). When that happens, insurers, reinsurers and underwriters are going to call time on surveillance capitalism. They'll start insisting that the insured store as little data as possible and retain it as briefly as possible, and make companies pay through the nose for every field in their databases and every day extra between log-rotations. Of course, they may just insist that any company that gets a policy also modify its terms of service to require binding arbitration from all its users.
Sasha Romanosky, a researcher at RAND who studies cyberinsurance, said that even if carriers don't necessarily know which technologies will make their customers most secure, there may still be advantages to partnerships that ensure greater consistency across their clients.
"The carriers don't really know the answer to what characteristics to what makes a firm or group of firms vulnerable, and what insurance carriers would do with that is diversify their portfolio," Romanosky says. "But on the other hand, if every carrier requires that everyone use the same firm it creates consistency and a lot of what we want right now is standardization in assessing and reporting and presenting and mitigating cybersecurity risk. There are advantages of uniformity."
Even as they work to impose some uniform risk management practices on their customers, insurers, too, are moving towards more standardized, consistent offerings across firms—particularly when it comes to the size and scope of cyberpolicies—in an effort to keep up with their competitors. At the same time, insurers like Allianz, are experimenting with industry partnerships in low-risk efforts to distinguish themselves. The major cyberinsurance milestones and innovations so far have been characterized by that caution—partnerships with well-established, big-name firms that have little or no impact on customer premiums or policy coverage.It's a slightly timid race to grab bigger pieces of the growing cyberinsurance market, since the insurers themselves are all keenly aware of how tenuous their grasp is of cyberrisk and its potential costs.
Cyberinsurance Tackles the Wildly Unpredictable World of Hacks [Josephine Wolff/Wired]