View this article online: https://www.insurancejournal.com/news/national/2017/10/09/466070.htm
Matt Honea, cyber manager at Cyence, a San Mateo, Calif.-based cyber risk modeler, thinks a great way to get companies to report cyber attacks is to make them do it.
Honea, who believes insurers can be a catalyst for collecting data on cyber attacks and attempted attacks, also believes it’s a good idea to make cyber insurance a required coverage for companies.
He may be on to something. Cyber attacks may be more prevalent than many would like to think.
A survey of senior business executives released by Hartford Steam Boiler shows more than half (53 percent) of U.S. businesses have experienced a cyber-attack in the past year.
Honea spoke with Insurance Journal about cyber risk and offered his take on better ways of accounting for it.
This has been edited for clarity and brevity.
(Editor’s Note: Insurance Journal reported last week that Cyence is being acquired by Guidewire.)
Insurance Journal: How would you describe the cyber insurance market?
Honea: The cyber insurance market, it’s growing. We really want to develop the cyber insurance market as a whole to have a robust model in place. When you look at insurance and how it takes place in society now, ultimately people buy insurance to secure their business.
No business wants to fail because of a single catastrophic event, and its by definition when you have a robust market, these individuals – should something happen, misfortune – they can at least limit that damage and limit the financial damage and still continue to do business. Ultimately, by doing business, you improve the economy itself.
If you want to have a robust market, you need to not only understand the market itself, to be able to model it, be able to predict it, be able to understand the risks involved.
But I think one of the big things is you need to be able to say when can you deny coverage or when can you say that “Hey, this building is on a fault line and I just don’t want to cover this because there’s too much exposure here.”
I think a robust market will be able to answer that, especially in cyber. If you ask insurers right now what is the common criteria for denying a cyber insurance policy, I don’t think anybody will be able to give a real good answer at this point.
To be fair, it’s a hard question, but really when you have a robust market, people can start answering this question collectively and without less deviation.
Also, when you have a robust cyber market, you have this thing called economic efficiency, where, by raising the awareness about security, you actually lead to overall improved security. An example of that would be, for example, if we look at seat belts, right? Historically, you have seat belts. There’s actually a requirement to wear seat belts, so there’s less deaths per car accident because people are required to wear seat belts. Ultimately, more people live and pay into the system. It’s this concept of economic efficiency, essentially.
We have that and there’s numerous examples. The boiler inspections, for example. You have routine inspections, maintenance done on boilers and so you have less explosions that cause catastrophic loss and death. Then, sort of a trivial example of that would be, let’s say, you brush your teeth.
You have dental insurance and the insurers could actually…Let’s say that you do brush your teeth pretty often. From the insurance lens, you have less major dental work, so sure, why not? If you brush your teeth regularly and that leads to less dental work, why not put up money on your premium?
I think as the world starts to accept these cyber attacks as a real threat that causes damages to businesses, then there’s going to be a need for more data and more reporting and more information just from all sides of the house that are involved in the cyber market.
IJ: I’ve heard many cyber events without major loss often don’t even get reported. Is this problem bigger than we know, and how can insurers go about addressing this?
Honea: Coming from a more technical background, I know that there’s a lot of events that happen related to cyber that are just never reported because either, one, it’s not a big deal to them, maybe there’s no loss, but two, they’re not required to.
We have a bunch of issues. For example, ransomware. You see that there were numerous, numerous companies coming out publicly saying, “Hey, I was affected by this global ransomware campaign. It led to losses.”
One of the things that’s hard to see is how many individuals or how many small companies are affected by this. When you look at the regulations, especially in the U.S., there’s so many different regulations, 50 different kinds for each state, where it’s very hard to understand the impact of cyber attacks.
I think this is one of the biggest problems we see in this era right now, is knowing exactly how many attacks are happening in the world. Insurance could actually come in and really be a huge catalyst for some reporting.
For example, if an insurer would come in and they have a good relationship with clients and they can somehow demonstrate or give an incentive saying, “Hey, how many attacks have you actually fended off recently?” Or, “What have you done proactively to help your security that would fend off attacks and do you have any records of that?”
If (a company) could show that to the insurer, then the insurer would have incentive to say, “Hey, yeah, you guys are doing a great job. You’re doing really good security. Let me lower your rate here.”
In turn, the insurance company gets the data itself and they can build much more comprehensive modeling of attacks, and surface, how many clients and things like that are in different industries, and how many attacks are happening.
Ultimately, that information could go upstream and you could start looking at country levels or government levels and really understand the breadth of major cyber attacks.
All that to say that if you have a mature market and there’s a standard or some way for reporting, not only attacks, but attempted attacks, I think we’ll see that insurance can be a really good catalyst for collecting this information.
They’re also stronger in terms of if you look at any other industry, insurance does play a big role in reporting. I think we can relate that back to cyber.
IJ: I’m sure there are a lot of ways to improve reporting on cyber loss. Can you give some examples?
Honea: If there was some requirement in place for companies to report the incident. For example, let’s say the government steps in or a government steps in and says, “Listen, there’s a mandate for reporting. It’s a very minimum mandate or just a basic set that can be applied to all sectors, all industries.”
I think I’d draw the comparison to auto reporting, where you’re not going to capture 100 percent of every single auto accident, but you’ve got a lot of data there and you can actually use even the data, if it’s not 100 percent, to help improve the overall posture. If they’re government steps in, I think that’s one way.
If there’s regulations in the industry about having cyber insurance as a mitigating factor, then that would help the overall industry as well. I think that, like I said before, there’s no way to mitigate risk 100 percent.
If there’s a regulation to have even just a baseline policy, or even just a very small policy, I think then they’ll have much more coverage and they’ll be able to see many more attacks from these small businesses.
If you look at and see who else would be in this realm, I don’t think there’s any other industry other than insurance. The reporting is very low as we know now. Companies just don’t have the incentives.
Insurers have great relationships with their clients and there’s a business incentive for clients to show that they’re doing a good job. A high penetration of insurance will allow an information-sharing angle to disseminate all of the threat intelligence that they collect to the broader community, and then really, I think that will overall improve the posture around the world.
It’s something that sort of how I eluded to before, where if you have an economic efficiency impact, where just a small little reporting will really trickle up and cause a better economic efficiency.
Related: