I have been doing a lot of thinking about the ability of the insurance industry to profitably underwrite cyber risk insurance. As I try to gain a deep understanding of the cyber industry from insurers, pre- and post-loss service providers, attorneys, and technology experts, it is becoming increasingly apparent to me that cyber is unlike any other type of insurance that I can think of – and I question whether it will remain insurable.
I can’t think of another line of insurance where the exposure to loss is created (in large part) by a hostile, active, and motivated opponent – the for-profit hacker. Cyber insureds are under constantly evolving, widely dispersed, attack, and cyber insurers are going to pay for the results of those attacks.
What other lines of insurance protect against risk that is actively generated by persons primarily from outside the organization? Not many come to mind, other than Kidnap & Ransom and portions of a Blanket Bond (financial institutions, jewelry stores, etc.), cargo theft, and high seas piracy. While each of these lines of insurance cover losses caused by some very capable opponents, they are pretty well understood and I would say manageable from a security standpoint.
When it comes to liability insurance and Workers Compensation, we have always worried about the ability of the plaintiff’s bar to create new theories of liability, but these tend to evolve slowly, giving insureds and insurers time to evolve and adapt.
But what about cyber? Here we have a constantly changing source of threats, some of them quite sophisticated, and they can be tweaked almost instantly to counter potential defenses. Techniques and tools can be updated quickly and shared with other black hats. Deployment is rapid, widely dispersed, and adaptable.
Now, compare this with an industry that has to essentially rely on the insured to manage its own defense, relies on an annual process of applications that provides only a snapshot of the exposure at the time it is completed, and which is admittedly challenged at identifying the true risk of loss.
I am immensely impressed with the best of the cyber underwriters, but I am worried that they are outgunned. Underwriting tools may never be able to keep up with the bad guys.
What the industry will increasingly need to rely on is not a passive Maginot Line of defenses, but active defense. Wouldn’t it be great if an underwriter could require insureds to be subscribers to an active defense services provider and enjoy the confidence that the insured is being protected on an ongoing basis. Is such a service even available?