Could Cyber Insurance Benefit From Government Regulation?
August 15, 2017 by Samit Shah and Jay Jacobs
Cyber insurance has become a major new business for carriers; it is often suggested that cyber insurance is the fastest growing segment of the insurance industry, and premiums are expected to increase from $1.35B in 2016 to anywhere between $7B and $20B by 2020. But while business is booming, there are still some critical challenges that insurance carriers face in underwriting cyber insurance policies that could hinder this expected growth. Can the government help carriers obtain new data sets to solve some of the most challenging problems in cyber insurance?
The challenges insurers face in obtaining data to underwrite cyber coverage have been well documented. Carriers face issues both in the underwriting of individual cyber risk insurance policies, as well as the modeling of cyber risk across a broader portfolio. With respect to individual risk underwriting, cyber risk data disclosed by applicants to underwriters is insufficient; carriers are not confident that they are asking the right questions or that the responses accurately represent the risk exposure for them to assign the right rates. From a modeling perspective, a lack of sufficient historical incident data hinders a carrier’s ability to build models to properly rate the risk. Carriers have been trying to collect information about cyber incidents for years, but these incidents represent only a fraction of the total number of incidents that have occurred. Due to competitive reasons, carriers do not like to share incident data with each other, so there is no common repository to find much of this data. Lacking a broader set of data reduces the visibility and confidence that a carrier has to expand their book of business.
When markets lack adequate data, participants often turn to the government for assistance in collecting data and creating greater transparency. In recent years we’ve seen discussions emerge between carriers and government about ways to address this information gap that may impede growth in the cyber insurance market. So, how can government help?
The reality is that there is a significant amount of publicly disclosed cyber incident data today, but that information is of questionable value to the insurance industry. For years, the government has required disclosure of certain cyber incidents, particularly incidents that involve the compromise of personally identifiable information, or PII. While some of these disclosures contain useful information, overall the quality of this data is of mixed benefit to carriers and modelers. First, breaches affecting PII are a fraction of the total number of data breaches; many breaches involving sensitive customer data, intellectual property, and other data classes go unreported. Furthermore, the data disclosures typically focus on the fact that a breach occurred and a certain number of records were lost. Carriers and modelers are interested in understanding why and how these incidents occurred and what to avoid in the future. They want to understand outages and other failures. The fact that an incident occurred is important, but more relevant, detailed information about why and how is critical in order to build better models.
While current data disclosure may not fully address the needs of the insurance industry, there are several steps government can take to improve the quantity and quality of cyber data that carriers can access.
Consolidate existing Data Breach Notification data into a common repository.
The United States alone has dozens of data collection efforts in progress due to federal agencies and 48 out of 50 states having some version of a data breach notification law. While these laws vary in terms of their requirements, there is no coordinated national effort to collect and share data generated by such notification efforts. Similar to work done to collect and report foodborne disease outbreaks or traffic fatality incidents, it would be beneficial to carriers and modelers for all of this data to be consolidated into a common repository. A consolidated platform would acknowledge the different legal requirements for reporting, but at least create standardization in data formatting and a single location to access the data.
Encourage breach response service providers to disclose information on their engagements.
Infectious disease experts are obligated to report conditions associated with an outbreak. Breach response providers are the infectious disease experts in cyberspace, and they should be encouraged to disclose anonymized data about the breaches they work on. Encouraging breach response providers to provide this information publicly will ensure both volume and quality, as they are working directly on breaches and have the domain expertise to provide quality data. But what type of data should they provide?
Emphasize the importance of disclosure on specific items.
Cyber disclosures can be made more relevant for carriers and modelers. A great starting point would be to leverage the VERIS framework developed at Verizonwhich is backing ten years of incident research. At a minimum, disclosures should focus on the “four A’s” of breach data: Actor(s), Actions, Assets and Attributes. None of these are exclusive selections as an external attacker can bribe and collude with an employee. Attacks are typically a series of steps using disparate and unique actions.
While there is no end to the level of detail that underwriters and modelers are interested in, the reality is that each data point represents considerable time, effort and cost to the affected entity. Every question should be scrutinized and every answer should be highly valued. There should be no data points collected that would be “nice to have” for the data analysis.
Due to our lack of coordination around notification and data collection, attackers take advantage of our limited understanding of the tools and strategies they use to cause us harm. The goal of a centralized repository is to improve our collective understanding of the cyber security ecosystem to limit the impact of, if not prevent, such attacks. It would be worthwhile to resume conversations within the insurance community to assess whether these steps if taken by the government improve the ability to appropriately rate and model cyber risks.