![](\"https:\/\/media.wired.com\/photos\/5ac69a78e04ee70b0675ef51\/master\/pass\/cybersecurity_insurance-FA.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Josephine Wolff| Date: Fri, 06 Apr 2018 11:00:00 +0000<\/strong><\/p>\n In the aftermath <\/span>of the Equifax data breach<\/a> last year that exposed personal information of more than 145 million people, analysis firm Property Claim Services estimated<\/a> that cyberinsurance would cover roughly $125 million of Equifax\u2019s losses from the incident. It\u2019s uncertain whether Equifax will actually receive that much money; insurance claims can take a long time to investigate, process, and pay out. But it was a reminder of the increasingly important role insurance plays in cybersecurity\u2014and the challenges of getting it right.<\/p>\n In 2016, the cyberinsurance market brought in around $3.5 billion in premiums globally, of which $3 billion came from US-based companies, according to<\/a> the Organisation for Economic Co-operation and Development. That\u2019s not an enormous amount of money compared to other insurance markets; motor vehicle insurance premiums in the US, for instance, total more than $200 billion annually<\/a>. But cyberinsurance premiums have grown steadily at a rate of roughly 30 percent<\/a> every year for the past five years, in an industry unaccustomed to such spikes.<\/p>\n 'The worst data is probably in cyberinsurance.'<\/p>\n Nick Economidis, Beazly Beazley PLC<\/p>\n With the European Union General Data Protection Regulation<\/a> poised to go into effect May 25, and firms of every size in every sector concerned about emerging online threats, insurance carriers see ample opportunity. But as the cyberinsurance market grows and those carriers take on responsibility for more computer-based risks, it becomes increasingly important that they model that risk and predict its outcomes accurately, a notoriously difficult task in the evolving and unpredictable domain of online threats.<\/p>\n Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years\u2019 worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk.<\/p>\n \u201cTypically in insurance we use the past as prediction for the future, and in cyber that\u2019s very difficult to do because no two incidents are alike,\u201d said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors.<\/p>\n The constantly changing threat landscape isn\u2019t the only challenge cyber underwriters face. Since many companies don\u2019t have cyberinsurance, lots of incidents go unreported every year, making it more difficult to reliably estimate the frequency or costs of such events.<\/p>\n \u201cIf you\u2019re writing policies for personal automobile or personal homeowners insurance you definitely have a lot of really good data. The worst data is probably in cyberinsurance,\u201d said Nick Economidis, a cyber liability underwriter at Beazley PLC.<\/p>\n In other areas of insurance, such as earthquake or flood coverage, carriers also make sure to diversify their customers, for instance by spreading them out across different geographic locations in order to avoid being overwhelmed by simultaneous claims. The cyberinsurance industry has attempted to diversify by adding clients of various sizes in different industries. But last summer\u2019s NotPetya ransomware attack<\/a> did not discriminate based on sector or company size, causing well over a billion dollars in total damage<\/a> across shipping, pharmaceuticals, and more. So now, carriers try to diversify among cloud providers, web hosts, software dependencies, and operating systems, Bailey said.<\/p>\n That, too, could prove challenging. While vulnerabilities like Heartbleed and ransomware like WannaCry\u2014along with the recent Spectre and Meltdown flaws in Intel chips\u2014don't appear to have resulted in large cyberinsurance payouts, they show just how pervasive cybersecurity issues can be, and the inherent risk of simultaneous claims from many of a carrier\u2019s customers.<\/p>\n As they struggle to assemble a diverse risk portfolio, many carriers have also partnered with security firms to provide their customers with a more standardized and, they hope, more resilient set of technologies to protect their digital assets. Allianz recently announced a partnership with Aon, Apple, and Cisco, through which customers could receive \u201cenhanced\u201d cyberinsurance policies from Allianz\u2014including lower deductibles and coverage for hardware replacement costs\u2014if they also use the assessment tools, security technologies, and breach response services provided by the three other partners. It's a similar dynamic to a health insurance company offering discounts for in-network providers.<\/p>\n The Allianz partnership is unique in offering lower deductibles and additional coverage to customers who adopt specific technology partners, but carriers and security firms often partner up to offer discounted or free services security for policyholders. A Chubb cyberpolicy, for instance, can come with preferred rates from CrowdStrike and FireEye, while XL Catlin partners with Clarium, Venable, and NetDiligence, among others. Zurich provides customers with access to Deloitte cybersecurity consulting services.<\/p>\n Those partnerships aren\u2019t just added value for customers; they can help relieve carriers of some of the technical burden of auditing a company\u2019s IT security when deciding whether to cover them.<\/p>\n \u201cWe really don\u2019t have the time to evaluate everyone\u2019s technology, nor are we sure that we are qualified to do that,\u201d Economidis said. \u201cIt doesn\u2019t seem to fit our expertise and becomes a business distraction for us.\u201d Instead, most carriers rely on written questionnaires submitted by potential customers about their security practices and incident response processes, though that information is often filtered through an insurance broker and is not always reliable.<\/p>\n 'We haven\u2019t developed the algorithm that correlates what technology they\u2019re using and what their premium should be.'<\/p>\n John Coletti, XL Catlin<\/p>\n By partnering with Aon, which provides its own cyber-resilience evaluation service, Allianz hopes it will be able to more thoroughly\u2014and continuously\u2014assess its customers\u2019 cyber-risk profiles. Similarly, the carrier believes that encouraging its clients to use Apple devices and Cisco security tools will drive down the number and size of claims from its customers, especially small and medium-sized businesses without the resources to invest heavily in their own bespoke security solutions.<\/p>\n And yet empirical evidence for the effectiveness of preventative security controls is surprisingly hard to come by in the data-driven world of insurance.<\/p>\n \u201cFrom a cost perspective it helps to have a pre-negotiated rate with vendors, but on the prevention side I wouldn\u2019t say that we have data to suggest that the money that we have spent or our customers have spent on prevention partners has improved the security performance,\u201d XL Catlin chief underwriting officer John Coletti says. \u201cWe haven\u2019t developed the algorithm that correlates what technology they\u2019re using and what their premium should be.\u201d<\/p>\n Sasha Romanosky, a researcher at RAND who studies cyberinsurance, said that even if carriers don\u2019t necessarily know which technologies will make their customers most secure, there may still be advantages to partnerships that ensure greater consistency across their clients.<\/p>\n \u201cThe carriers don't really know the answer to what characteristics to what makes a firm or group of firms vulnerable, and what insurance carriers would do with that is diversify their portfolio,\u201d Romanosky says. \u201cBut on the other hand, if every carrier requires that everyone use the same firm it creates consistency and a lot of what we want right now is standardization in assessing and reporting and presenting and mitigating cybersecurity risk. There are advantages of uniformity.\u201d<\/p>\n Even as they work to impose some uniform risk management practices on their customers, insurers, too, are moving towards more standardized, consistent offerings across firms\u2014particularly when it comes to the size and scope of cyberpolicies\u2014in an effort to keep up with their competitors. At the same time, insurers like Allianz, are experimenting with industry partnerships in low-risk efforts to distinguish themselves. The major cyberinsurance milestones and innovations so far have been characterized by that caution\u2014partnerships with well-established, big-name firms that have little or no impact on customer premiums or policy coverage.It\u2019s a slightly timid race to grab bigger pieces of the growing cyberinsurance market, since the insurers themselves are all keenly aware of how tenuous their grasp is of cyberrisk and its potential costs.<\/p>\n