April 12, 2019
Clarity of History Can Reduce Cyber Risk
by Jesse Lyon
Cyber liability and technology E&O insurers are not only giving hackers the upper hand but are endangering their own existence.
Indemnity, through the use of insurance, has a long pedigree. However, insurance as we know it today did not really start until the end of the 17th century. It was at that point that insurance companies started to be formed to combat one of the oldest enemies of civilization: untamed fire. Moreover, fire insurance companies understood their enemy well and worked swiftly to combat it; those efforts ultimately gave rise to our present day in which millions of people around the world live largely free from the threat of a fire destroying a neighborhood or city. That pedigree sired all the forms of insurance that we know today, whether it be general liability or cyber liability. However, the landscape, as it relates to cyber liability and technology E&O, does not show the responsible insurance traits that such thorough breeding would be expected to produce, and we need to review three prominent examples of where cyber liability and technology E&O insurers are not only giving their enemy, hackers, the upper hand but are also endangering their own existence.
Perhaps one of the most recent blatant examples of how insurers are failing their lineal forebearers occurred toward the end of 2018 when an insurer created a partnership with one of the world’s largest e-commerce merchants to provide physical cyber tools to policyholders to help “protect” homes. All the available evidence suggests that the cyber tools were championed by the insurer without the organization having done considerable research on, and testing, the physical devices to ensure that they were highly resistant to being hacked. None of the products the insurer recommended were rated as “secure” by any respected independent testing lab. In fact, none of the products were rated “secure” on the manufacturer’s website. For a cyber liability insurer that also offers homeowners and renters insurance, the championing of such products directly undermined the insurer’s cybersecurity credibility and sullied its pedigree, all for marginally increasing its bottom line.
See also: Breaking Down Silos on Cyber Risk
Another timely and alarming example of an unfortunate mistake of cyber liability insurers is the recent creation of the Global Cyber Alliance and the Cybersecurity Tech Accord. The effort of both is to create a cooperative atmosphere in the private sector to combat cybersecurity threats while also working to provide responsible cyber products. There are many respectable companies that belong to each organization, but not one cyber liability or technology E&O insurer can be found among the members of either organization. When we read in the news that company ABC suffered a $40 million data breach, that means, assuming the organization had a cyber liability policy, that millions of dollars are being lost by the cyber liability insurer. Due to the current and highly competitive cyber market, the premiums of cyber liability policies are not typically commensurate with the amount of risk and financial loss to appropriately offset the millions of dollars the insurers pay out in such a breach. Thus, insurers mistakenly are not advocating or supporting the very organizations, like the Cyber Tech Accord, that are indirectly trying to help them reduce their losses and those of their clients.
Illustrative of a mistake by cyber liability insurers in this matter is something that insurers say. It is not uncommon to read in a cyber liability brochure that the insurer is not going to restore a client to a better state than the one the policyholder had prior to a cyber breach. On its face, the logic is reasonable and even is in the pedigree of fire insurance companies. After all, fire insurance companies would not build a person a five-bedroom, four-bath home with a four-car garage when a person’s two-bedroom, one-bath home with no garage burned down.
However, fire insurance also followed the principle of indemnity, and that principle clearly states that an insured is to be restored to her original condition after a fire. Cyber liability insurance policies DO NOT FOLLOW the principle of indemnity, and that distinction matters considerably.
There is no reasonable way to calculate how much a cyber liability breach will cost an insured or her cyber liability insurer. After all, laws across the U.S., let alone the world, vary in their intent and letter as to what needs to be done after a cyber breach. Not only that, but the size of a company, how a company was breached, when it was breached, what was stolen, if anything, what was done with what was stolen and a number of other important factors inextricably but subjectively determine the impact a breach will have on a client. That those factors are subjective in their cost means that all insurers have no accurate way of determining the cost of a breach. When a $500,000 home burned down, an insurer could reasonably expect the cost of replacing that home to be within a certain percentage of $500,000. When a major retailer suffered a cyber breach in 2013, the annual report the following year specifically stated that it did not know what the true cost of the breach would be, but it was expecting the cost to increase beyond the initial amount. If such a policyholder was unable to determine the true cost of the breach, then how could the insurers of its cyber liability policy know, either?
One of the major tools that fire insurance companies used in the past to combat fires was to understand how susceptible a building material was to being damaged by fires. However, to this date cyber liability insurers have not founded an institute funded by themselves and created for the express purpose of determining the quality of products that have a direct impact on policyholders’ ability to resist attack. This in turn creates an inextricable link to a policyholder’s sense of cyber security safety. Cyber liability organizations sometimes use the services of a cybersecurity firm to determine, prior to underwriting a policy, if an applicant’s network exhibits any signs of unusual network activity that could be suggestive of a cyber breach. However, that is an inadequate way of providing a policyholder with any meaningful comfort, let alone allowing an insurer to have a solid basis to believe a risk is worth underwriting. In fact, the closest organizations that exist for the express purpose of determining a product’s cybersecurity strength is Cyber ITL (Independent Testing Lab) and the NIST (National Institute of Standards and Technology). However, neither of those firms was created by insurance companies, and neither has the vested interest that insurers have in protecting their policyholders and guaranteeing cyber liability remains profitable to underwrite. Therefore, it is time for all cyber liability insurers to either join with an organization like Cyber ITL or to create their own like-kind organization. The browser application, the version number of a browser application, what operating system is used, what kind of router a computer is connected to, what kind of firewall is in place and numerous other factors all play a part in increasing or decreasing the strength of users’ cybersecurity. However, until cyber liability insurers measure and rate everything that pertains to cybersecurity, they and a vast majority of their clients will be allowing hackers to gain an undeserved advantage.
Beyond the need for an independent testing lab there are other measures that insurers need to take, and these measures have been previously proposed. However, it is extremely unfortunate that insurers have yet to rally to the cause of their clientele by implementing the following strategies.
In the April 2016 edition of the PLUS Journal, it was argued that insurers need to work with other companies involved in technology, marketing, lending and other parts of the private sector to create an international competition. This competition would give students a creative outlet to display their skills, whether they be in coding, design or writing. By establishing such a competition and working with educators, worldwide insurers and other companies can give pre-college students the ability to demonstrate, on a world stage, the ingenuity and adaptive reasoning that bright young people often possess. However, the benefit of the competition is not only for the students; it absolutely benefits the corporate sponsors of the international competition. For insurers, it allows them to persuade students that the insurance realm is a viable and worthwhile place in which to work. It also allows insurers to gain the opportunity to create a list of candidates from which to recruit when the winners of the international competition graduate from university. The same list of students that insurers create can also be used for their clients when they need to hire a software engineer or a laureate. If insurers have some of the brightest and most talented young people working for them, they can create more efficient internal systems and more advanced lines of insurance coverage, and they can also provide better methods for ensuring that their policyholders have the right tools with which to mitigate cybersecurity risk.
Additionally, it is not profitable or reasonable to believe that cyber liability follows the principle of indemnity, because believing that hurts the insurer and, to a greater extent, the insured. If an insured uses the same computer, router, browser and other items after a breach has been fixed that were used prior to the breach, then there is nothing to stop another breach from occurring. In the near term, to reduce the number of clients suffering recurring breaches, an insurer should pay for one year of monitoring by a respectable cybersecurity firm. It would also be useful to conduct an on-site visit by an auditor three to six months after the original breach has been fixed to see what steps the insured has taken to prevent future ones. In time, if an independent testing lab is established, an insurer could even offer a policyholder an improved router and firewall to further protect the client. The less susceptible any client is to an attack, the less likely a claim will arise, and fewer claims means more underwriting profit.
See also: How Insurtech Boosts Cyber Risk
However, technology E&O insurers also bear a responsibility for helping to prevent cyber breaches. After all, how well a software engineer or an electrical engineer professional writes software code or builds physical products is the basic element that will later determine, to a high degree, whether a breach occurs or not. Technology E&O insurers need to work with universities to establish teaching standards that are uniform across the globe and engineering standards in the work place that establish the highest minimum standard possible. In the January 2016 edition of the PLUS Journal, it was also demonstrated that technology E&O policies can be written to encourage more responsible software engineering practices to further minimize claims. If the above practices are put into place, then perhaps lives lost to faulty software, like those in the recent two plane crashes of a U.S.-based commercial jet manufacturer, need not happen in the future.
The closest fire insurance companies had to a dynamic enemy were arsonists who were few and far between. Despite the general absence of an active enemy, those organizations spent about 200 years directly influencing the development of urban landscapes whether through building codes or the layout of a city. Today, their efforts have largely paid off because they acknowledged the challenges they faced and met them with courage and creativity. They did not accept that they could do nothing to make their clients safe or secure their profitability. However, today beyond a few web portals that insurers or third parties have created that can provide minor tools to a policyholder, and beyond creating semi-close relationships with some members of the cybersecurity community, cyber liability and technology E&O insurers have spent a significant part of the 21st century accepting losses, writing checks and never acknowledging that hackers and poorly crafted technology products are their mortal enemies. Hackers are costing the global economy tens of billions of dollars, if not more, every year, and
businesses are closing or suffering severe financial loss because of cyber breaches. How many more people must die and how much insecurity must exist in this world before insurers acknowledge that the war is here, and the enemy is at the doors of organized civilized societies? When will insurers take the prudent course and glean from history and their forebearers all the lessons they offer, and in so doing prove that they are worthy of their trust?