With well-publicised security breaches driving news headlines on a daily basis, losses and fines growing in magnitude, and state actors involved in a wide range of commercial hacking and cyber-driven political intrigue, the demand for cyber breach insurance continues to rapidly expand. Aggregate levels of in-force breach insurance premiums are on the rise and expected to grow tenfold over the next decade from $2 billion to $20 billion. The number of underwriters active is growing rapidly as well, with a double-digit annual growth rate in the global market.
These volumes are growing in response to the need – large breaches are happening frequently and the expense associated with containment and clean-up is escalating. Regulations such as the US Office of the Comptroller of the Currency (OCC), various directives on vendor risk management, and the EU’s recent NIS Directive put additional pressure on organisations and their downstream suppliers to take steps to protect themselves and their customers, including the acquisition of appropriate financial coverage in the case of debilitating incidents.
Constraints in cost and coverage
While the supply of coverage is increasing with new entrants to the marketplace, demand continues to grow for the reasons outlined above. The available aggregate coverage for large businesses continues to be a concern – in many cases, organisations are unable to buy the coverage they
desire with many carriers capping exposure at $100 million – a figure that is simply not adequate for the largest consumer-facing organisations and others with sensitive or regulated data at risk. In many respects, the net of these dynamics is one of demand outpacing supply. As in any market under these conditions, the buyer may be at a disadvantage.
As such, organisations are looking for leverage in negotiating pricing for cyber risk coverage. As with most categories of insurance, the best way to obtain the required amount of coverage at the best rates is to demonstrate that you are a good risk, or that you are taking the necessary steps to become a better risk. This certainly applies to consumers shopping for auto or homeowners’ coverage. It equally applies to companies looking for various traditional forms of liability insurance. While the coverage category of cyber breach insurance is still nascent in many respects, the same dynamic is certainly true. If you know your risks, you can negotiate with that knowledge in hand. If you reduce your risks, you can get a better deal.
With many organisations deciding that it’s a good time to seek cyber risk coverage as part of their broader errors and omissions insurance coverage stack, sharper companies are also realising that the best approach to negotiating for such coverage is to be better prepared for the inevitable conversation about their organisational risk profile. This means understanding risk relative to peers, describing risk in both qualitative and quantitative terms, and having demonstrable programs spanning organisational boundaries which both measure and proactively manage risk going forward.
Transparency and efficiency
There is a parallel between the current world of consumer credit risk assessment and the emerging world of enterprise cyber risk assessment that is worthy of consideration. In the wake of the financial crisis – due to regulatory changes, market forces, and emerging technologies – consumers are finding themselves in a much more empowered position vis-à-vis the financial institutions with which they are doing business. Consumers now generally understand the credit scoring used by lenders in making consumer lending decisions. Lenders have been compelled to share credit scores with consumers in the underwriting process for many types of loans, and consumers are now accessing these scores pre-emptively to optimise their search for the best consumer lending deals. By understanding the way that lenders are viewing them, and by developing a basic understanding of the correlation between their score (risk) and price, consumers are gaining an edge in shopping for the best deal and in negotiating terms with their bank.
Transparent markets are efficient markets – this is an established tenet of economics. The fact that insurance carriers are increasingly looking at third-party risk assessment tools as part of their underwriting assessments not only improves risk quantification for the underwriter, but also provides an opportunity for cyber risk coverage shoppers to look at themselves through the same lens the carrier will focus on them during the underwriting process. New quantitative cyber risk assessment tools are akin to the credit scores discussed above, or the general business risk ratings (such as offered by Dun and Bradstreet) with which we are all familiar. These tools communicate risk in the form of a grade or score that can serve as a benchmark in comparison to peers or track progress (or degradation) in risk management over time. As most of these tools are also made available for organisations to use for self-assessment, there is an emerging opportunity for coverage buyers to benefit through the risk transparency this creates between themselves and their insurance carriers.
Armed with these tools, organisations seeking coverage have the opportunity to know how they rank in comparison to peers, others in their industry sector, or even with respect to themselves at a previous renewal. This knowledge can provide important leverage in negotiating rates and can serve as an important conversational catalyst in more esoteric conversations around organisational cyber risk. Caring enough to understand and quantify risk certainly demonstrates a level of attention to and concern about risk management that has positive implications in an ecosystem which is still largely driven by judgmental underwriting criteria.
As evidence of the same, many insurance carriers are also incorporating risk measurement offerings into their panel of sponsored pre-breach or other pre-emptive risk management services offered to their covered clients. These carriers have realised that measuring and monitoring risk is the first step in reducing risk. You can’t fix problems you are unaware of, so promoting awareness is a useful tool in reducing exposure. Quantitative assessments also provide an advantage in that they can be tracked over time, enabling an organisation to know whether they are getting better or worse.
Tools delivered as a simple metric or grade enable utility up and down the management chain – even non-experts can understand a score change or a peer-group comparison based on simple statistics. This enables board level leadership and others in non-technical accountable positions to make more informed decisions about investment priorities when it comes to security. As in any other aspect of management, good metrics are the foundation for action.
The net is this: there are new and emerging ways to become a smart shopper for cyber risk coverage. When buyers and sellers have the same information, markets are most efficient. For coverage seekers, transparency implies an ability to find the best coverage at the best rates. For coverage providers, transparency enables risk-based pricing and stronger competitive advantage. A good way for buyers and sellers (coverage seekers and carriers, respectively) to more quickly create market equilibrium is to use common metrics as the lingua franca for this important value exchange.
What to look for in cyber scores
A few of the new cyber risk products are not likely to add value beyond the judgmental assessments that any cyber expert might give an underwriter. Others, however, take an empirical, quantitative approach which will provide a direct and predictable correlation to long-term outcomes. These will be the tools which are ultimately valued by insurance carriers and so are the ones that the cyber coverage shoppers should seek to understand and adopt. They can provide solid, forward looking risk assessment, and their ongoing use can serve to drive continuous improvement.
Publicly available information, dark web data, firmographic information, and IP scans can all yield insights about organisations that can be correlated to cyber breach risk. While many of these indicators are not necessarily breach vectors unto themselves, the correlation between the externally visible characteristics of exposed information technology assets and actual breach events can be empirically derived.
It’s fair to think of these data assets in the same way as one would think about the data available at credit bureaus for consumers relative to their credit performance, and it’s useful to think about the resulting ability to correlate these characteristics with breach events as akin to credit scores which quantify the likelihood of credit default. These kinds of metrics have served to drive efficiency and transparency into credit markets as well as certain classes of consumer and commercial insurance coverage. They have the same power to drive efficiency into the cyber risk insurance space as well. Making yourself aware of your relative risk profile before searching for coverage has the power to put you in an advantageous position.