September 30, 2015
Insurance Industry Can Solve Cyber
by Scott Kannry
Although cyber security seems to be an intractable problem, the insurance industry has unique insight that can bring it under control.
Before explaining the basis for the strong statement in the headline, it’s necessary to redefine what “solve” means. After all, we live in a world where the myth of impenetrability was long ago debunked, where there are no silver bullet technology solutions and where continued cyber events are as certain as the sun rising tomorrow. Anybody who knows anything about cyber is likely thinking, “It’s impossible to solve cyber risk!” But what if we redefine “solve” as: “to provide security leaders and firms with an accurate picture of their cyber exposure, with the ability to effectively manage the risk and with resiliency when an event happens.”
With that as the definition, why is the insurance industry best-positioned to solve cyber? It’s a matter of insight and the scope of that insight. The insurance industry is the only industry that has the ability to correlate controls and protective actions (insight gained during the underwriting process) with losses resulting from the failure of such controls and protective actions (insight gained by paying claims), thus occupying a front-row seat to what is working and what is not. Most importantly, because the industry serves this function across all classes of risk, across all industry verticals and on a continuous basis, the insurance industry should be the primary source of actionable cyber risk management insight. No technology or network appliance can do that, and even the best assessment is merely a snapshot in time.
Let’s drill a little deeper by considering each element of the new definition individually.
First, the ability to provide firms with an accurate picture of their risk is a critical step toward managing it. An insurance-linked approach can help firms understand the context of their cyber exposure and do it in a way that is both easily comparable and lays a foundation to capture loss and claims data. We recommend starting with four categories of loss: 1st party financial, 3rd party financial, 1st party tangible and 3rd party tangible. Then drill deeper within each category, with subcategories tied to specific types of insurance coverage and areas of un-insurability — an incredibly helpful data point itself (meaningful areas of un-insurable cyber risk should see an overweight deployment of controls). Ultimately, this approach paints a complete picture of the cyber risk spectrum and then facilitates the easy utilization of claims data for exposure modeling and benchmarking.
Next, the ability to effectively manage cyber risk certainly trumps the other two elements based on what is most sought by the security community right now. I’ve often described the job of a cyber security leader as akin to putting together a puzzle in which one-third of the puzzle pieces are missing, another third don’t fit together and, to make matters worse, the board changes every 30 minutes. This characterization of cyber will probably never tire — hence the need to redefine “solve” — but this is the very challenge that the insurance industry is best positioned to attack. Why? Because the insurance industry underwrites the cyber security programs of firms of all shapes and sizes on a daily basis and pays claims resulting from the failure of those cyber security programs on a daily basis. If information on both fronts can be appropriately harnessed and correlated in something akin to real time, the underwriting process itself should serve not as an interrogation but rather as an actionable intelligence session for firms to understand how to best evolve their cyber programs. And why stop there? Security leaders should welcome the opportunity to call their insurance companies anytime for an update on the risk climate and for guidance with strategic planning.
Finally, the ability to provide resiliency. This is where insurance coverage itself comes into play — as it is the only type of control that can reduce, or even eliminate, the cost of an event. The ability to survive is the true measure of resiliency, so while a robust set of controls, policies and procedures wards off antigens and increases the likelihood of surviving, the financial resources to pay for an event will be most meaningful in determining the firm’s and security leaders’ fates.
Imagine the post-event press conference if the insurance industry solved cyber: “Ladies and gentlemen, we’ve experienced a cyber event. It will likely be large but nowhere near catastrophic. We’ve been planning accordingly; we knew what our exposure was, and we have been continually updating our defenses in accordance with best-in-class recommendations from our insurance partners. We can validate that by virtue of the fact that we have been able to maintain a comprehensive insurance program that will cover all of our costs as well any claims against us. The organization will emerge whole.”
The insurance industry has answered the challenge before. Decades ago, insurers started to correlate the causes of events like fire and boiler explosions and subsequently provided invaluable risk-engineering insight to firms. Nobody can dispute the relevance of the industry for minimizing property risk. While some characteristics of cyber are definitely unique, all of the foundational pieces are in place for the insurance industry to do the same here. If the industry succeeds, cyber can be solved.