November 22, 2017
Cyber Insurance Needs Automated Security
Cyber insurance without automated cybersecurity is like fire insurance without smoke detectors. But we need new tools.
Hackers, malware, viruses, ransomware and phishing emails are becoming a normal part of increased connectivity, and their impact on everyday life is growing. The result is a profound increase in the demand for cyberinsurance. The downside? Cyberinsurance is hard to price as risk potential is not well understood, and losses can enter into the millions of dollars. Moreover, businesses with cyberinsurance may be lulled into complacency by their coverage. They shouldn’t be. Just reimbursing the costs of damage after a cyberattack isn’t smart business—smart businesses seek to prevent the cyberattack from occurring.
Enterprises do this at great expense, with costly, complex tools and teams beyond the reach of small and medium-sized enterprises (SME). SMEs need automated cybersecurity for cost-effective, full protection. That’s because cyberninsurance is insufficient to protect a business: It isn’t a substitute for good business practices that work in concert with cybersecurity. In short, cyber insurance and cybersecurity must complement each other to provide what businesses really want: peace of mind at predictable costs.
Cyber Safety Is as Essential as Fire Safety
Think of it like this: You wouldn’t protect a business from a fire simply by buying a fire insurance policy. Best practice fire safety includes smoke alarms, fire extinguishers, fire-retardant building materials, a designated gathering spot and regular fire drills. On the other side of the coin, governments have adopted fire safety building codes, and insurers don’t sell fire insurance without verifying fire safety compliance: Fire extinguishers, smoke detectors and sprinklers must be installed and properly maintained.
See also: Cybersecurity Holes in Connected Cars
Similar businesses practices are necessary for cyber protection. But the technology has not caught up with business needs. Many cyber insurance policies are written without accurately measuring the risks that make a business vulnerable to a cyber attack. A one-time snapshot of the number and type of data records, or even a more full-fledged review of internal and external systems, is inadequate to assess risk. Technology evolves too quickly for these snapshots or scores to be valid over time. The moment a system needs upgrading, data may be at risk. The moment a new virus begins to spread, businesses are vulnerable. As long as a patch is not applied, systems and data are exposed. These big changes to risk affect the underwriting assumptions. It’s a shifting landscape, one that requires that businesses remain constantly vigilant. Automated cybersecurity technology is more effective than people at monitoring and addressing threats. In short, cyber insurance without automated cybersecurity is like fire insurance without smoke detectors.
Cyber Risk Models Need Much More Data
Automated cybersecurity platforms that detect and protect against cyber attacks are also useful to measure risk over time. Telematics let auto insurers such as Progressive and Metromile more accurately measure risk—and price accordingly. We need new “cyber-telematics” that allow underwriters to more accurately measure cyber risk. They provide risk insights about the insured, enabling the development of rich aggregate risk models. Cyber-telematics also helps underwriters develop risk models from the measurements correlated with cyber risk—and see the red herrings that aren’t. Cyber-telematics answers industry concerns noted in a March 2017 Property Casualty 360 article that “the insurance industry faces a rampant reporting bias that is hard to translate into policies.”
Without a thorough understanding of the profound risk being underwritten, losses are unpredictable—and potentially catastrophic. Insurers have long understood the impact of underestimating exposure aggregation with respect to natural disasters and other correlated losses like terrorism or asbestos claims. Of these, Towers Watson wrote, “The difference is that the terrorist attack is a single event and not a decades-long process, and the losses will be recognized and paid much more quickly.” The same, or worse, should be expected of large-scale single cyber events.
Technology is essential to collecting the data for, then understanding, mitigating and accurately modeling cyber risk.
Large enterprises have massive budgets, and most create a custom cybersecurity system using expensive experts and tools from multiple vendors. This has made it much harder to penetrate their defenses. As a result, hackers have moved down the food chain, making small and medium-sized businesses especially vulnerable. These businesses face the potential of a business-ending event in the face of a cyber attack.
Automation is the right answer when people and systems aren’t available or affordable. SMEs need automated cybersecurity to reduce risk and reduce cost. Current solutions are simply too expensive in terms of staffing and too complex in terms of tool integration. With automated cybersecurity, SMEs receive the benefit of robust machine learning coupled with economies of scale that take advantage of the cost efficiencies introduced by automation. For insurers, automation enables data gathering that informs robust risk management models, providing key insights to identify and mitigate loss potential.
See also: How to Eliminate Cybersecurity Clutter
According to Hiscox data, 60% of smaller companies in the U.S. reported one attack or more in the last 12 months—and 72% of larger companies. In the U.S., the average estimated cost of an organization’s largest cyber incident was $35,967 for 99 or fewer employees and $102,314 for 1,000 or more employees. However, a November 2017 Property Casualty 360 article reports that “in the aftermath of an incident, SMBs spent an average of $879,582 due to damage or theft of IT assets; additionally, disruption to normal operations cost an average of $955,429.” This wide variance in the reported cost of cyber incidents reflects uncertainty among insurers.
The Hiscox report further observes, “While big firms incur the highest costs in nominal terms, the financial impact of cyberattacks is disproportionately high for the very smallest companies.” Because these “smallest companies” can least afford effective cybersecurity, they need automated solutions. Let the machines do the work.
Peace of Mind
Cyberinsurance complemented by automated cybersecurity is key to modern business—neither is sufficient on its own. SMEs are better protected with the complement of these tools. A simple metaphor is the modern automobile. Today’s cars don’t simply provide airbags to react to accidents, they include technologies to avoid accidents: anti-lock braking systems (ABS), blind spot monitoring, lane departure warnings and more. Modern cybersecurity and cyber insurance are similar complements: Airbags cushion the blow, much as a rapid response can limit the losses from a cyberattack, and automated cybersecurity monitors networks and protects SMEs, much as accident prevention systems protect drivers.
Modern technology demands the next evolution of cyber insurance and cybersecurity measures, similar to the evolution of fire insurance and car safety technology. Effective, automated cybersecurity technologies, coupled with comprehensive cyber insurance, are needed for real peace of mind against cyber attacks.