Though plenty of analysts foresaw that 2021 might be a dramatic year when it came to corporate cyberattacks, I think it’s fair to say that even by now it has surpassed our expectations. First there was the SolarWinds breach and now a massive attack has hit the Microsoft Exchange server, also leading to the release of vast amounts of sensitive data.
You would have thought that companies like SolarWinds, the US DoD (Department of Defense), and Microsoft would have learned their lesson by now, and that the millions (billions?) of dollars they spend on security each year would have made such breaches a thing of the past or at least less frequent. Not so. Dig a little deeper into the reporting around these breaches, and you’ll see that the companies involved didn’t actually lose much, at least financially, because they were insured.
Whether that’s a good thing is debatable. For years, security researchers have been pointing out that the rise of cyber insurance might actually be making security worse. By adopting a risk-based security approach, and in the last year by using risk management techniques in remote work, companies have less of an incentive to build genuinely strong defenses.
That might be about to change, and with it our whole approach to cybersecurity.
The Insurance Debate
Even a decade ago, plenty of people were skeptical about the idea of cyber risk insurance. While the risks of cyberattacks were recognized – in terms of financial loss, potential legal action, and reputational damage – some analysts were of the opinion that cyber risks were simply too hard to predict to be accurately insured against.
These concerns were quietly ignored. In fact, looking back you can see a problematic complicity between companies looking to mitigate their liability, insurance companies looking to increase their premiums, and security firms willing to provide untested defensive systems. In other words, cyber risk insurance managed to remove responsibility for ensuring strong cyber defenses from all three parties.
The problematic outcome of this system is a classic example of a “moral hazard.” This is a concept that relates to gambling with other people’s money. When this happens, greater levels of risk are taken than when your own money is at stake. A classic moral hazard example is automobile insurance. Once insured, drivers have little incentive to drive more safely as the costs of an accident will be borne by a third party, i.e., the insurer.
Something similar happened over the past decade with cyber insurance. Instead of building their own secure systems, corporations have come to believe that risk assessment for SaaS companies is a good replacement. Instead of using proven cybersecurity apps and techniques, we’ve “passed the buck” of cybersecurity to insurance companies who know little of the subject, but who generated $3.15 billion in the U.S. market in 2019 alone.
Now, however, things might be about to change. In the wake of the huge corporate data breaches of the last few years, insurance regulators are increasingly concerned that insurers aren’t doing enough to understand the risks they are insuring against and nowhere near enough to encourage their customers to put better protections in place.
The most prominent example of this changing approach has recently been codified by New York’s regulator for the insurance industry, the Department of Financial Services. The organization issued a new Cyber Insurance Risk Framework last month, and it signals a major change for insurers in the state. “As part of their cyber insurance risk strategy,” it spells out, “insurers that offer cyber insurance should regularly evaluate systemic risk and plan for potential losses.”
In plain speak, this means that insurers should assess the level of preparedness of the companies they insure and adjust their premiums accordingly. There are precedents for this – some homeowner insurance providers offer discounts up to 20% when homeowners install home security systems, for instance – but it nevertheless indicates a monumental change in the way companies protect themselves from cyberattack. That’s because it will no longer be possible for companies to say, “We’re insured” and forget about cybersecurity; and equally insurers will soon be unable to claim that they don’t need to build expertise in cyber risk.
Brave New World
That it took this long for this change to begin may be surprising for those who don’t work in cybersecurity. For those of us who do, it is merely another indication that the legal and social framework that we’ve built up around breaking technologies has a long way to catch up.
That’s not to say that this development is not welcome. In fact, a more responsible approach to cyber risk assessment is long overdue and will likely improve security in many organizations. CISOs find it easy to ignore junior systems engineers when they say that systems are vulnerable, but things might be very different if a company’s insurance premiums are affected by the same concern.
In short, this shift might mean that insurance companies will finally force CISOs and CEOs to look seriously at the security that is in place within their organizations and improve it. That this task falls to insurance companies – rather than government regulators – is another strange aspect of the story, but then things have never been straightforward when it comes to cybersecurity.
Though long overdue, this new approach might finally end the game of “pass the buck” which has arguably contributed to many of the biggest hacks of recent years. Once the insurers and the insured have a better understanding of what they are and have been underwriting, this cyber risk enlightenment might just cause companies to realize the benefits of digital risk protection services, and that their best and most cost-effective cyber insurance policy is the work they do to reduce cyber risk. Only then will they see actual levels of cyber risk come down.