You can’t insure, what you don’t understand.
The cybersecurity insurance industry is in a tumultuous period, with skyrocketing deductibles, new limitations, hidden assumptions, and suffering from a slew of lawsuits from customers. The market is hot, with many companies now seeking cyber insurance policies, but some insurers are pulling back because of unexpectedly high payouts leading to losses, while others are blindly diving in to get a piece of the action. The insurance industry has a reputation for being stable and predictable over time but has failed to grasp the ambiguity and unpredictable nature of cyber.
I will outline what it will take for insurance companies to succeed, but first, a story:
I remember, well over a decade ago, speaking to the insurance industry about the need and challenges for the emerging cybersecurity insurance market. I had just published my Return on Security Investment (ROSI) paper and annually recurring cybersecurity predictions. With a refreshed understanding of the difficulties in foretelling the risks and likelihoods of cyber-attacks, I warned the insurance community that their normal actuary methods would not work over time and they would need to approach the growing chaotic uncertainty and radical shifts, driven by the intelligent attackers who take advantage of rapid technology innovation and adoption, in entirely different ways.
I was summarily dismissed time and again with comments like “you don’t know insurance”, “we are the experts”, “we do this type of work all the time” and my favorite “we have algorithms that can predict this type of activity”.
Cybersecurity insurance has struggled with inconsistency and a high degree of variability — not the attributes that are conducive to the insurance industry. Only now are they realizing the challenges and their inability to get ahead of the problems. In December, Mario Greco the CEO of Zurich Insurance, one of Europe’s biggest insurance companies, stated that as cyber-attacks grow, they “will become uninsurable”.
Well, that is not exactly the truth. If the industry’s inability to predict losses continues, then yes, insurance companies will not be able to charge correct premiums that cover community losses. But, if they do get a better grasp, then they can run the business to properly insure against catastrophic events while simultaneously making a decent profit.
So, I am happy to see that some insurance companies are realizing they didn’t know, what they didn’t know, and are building specialized centers of excellence to better understand the nuances which make insuring against cybersecurity incidents so difficult. Liberty Mutual Insurance recently announced the opening of a Global Risks Solutions Cyber office. Perhaps a decade late, but this is a necessary step.
Now, my advice to you (listen up cyber insurance companies) is to bring in real cybersecurity experts!
No, you don’t have them in-house.
No, you cannot simply slap ‘cyber’ on the title of an actuary person or executive and expect them to understand the important nuances of cyber.
No, those guys in IT and Engineering are not cybersecurity experts either.
You need people who have actually been in the trenches, shown proficiency and thought leadership, and wear the scars earned over the years, with pride.
Here are your simple criteria: Find people that have a strong history of PREDICTING cybersecurity macro trends. That is the key to algorithmic foundations that integrate the right aspects of risk over time. That is what it will take to build a robust, fair, profitable, and competitive cybersecurity industry business that will superbly service customers over time.
The cybersecurity insurance industry must transform itself in order to survive. Success requires it shed legacy preconceptions and evolve its practices to adapt to the shifts that govern risks and losses in the cyber world.