U.S. Commission Explains Why It Thinks Insurance Is Failing Cybersecurity

March 11, 2020

The following excerpt is from the new report, “A Warning from Tomorrow,” on U.S. cybersecurity strategy by the Cyberspace Solarium Commission. The report contains about 75 recommendations on what the country should do to defend itself from cyber warfare and attacks. It includes several recommendations for government intervention in the area of insurance — as reported by Insurance Journal.

The insurance recommendations appear to flow from the thinking as captured in this excerpt. Here the commission says the government needs to step in because the insurance industry is failing on its own to provide financial incentives for better cyber risk management:

Can Modern Insurance Improve Cybersecurity?

Insurance can provide financial incentives for individuals and organizations to better manage their risk. From incentivizing the use of seatbelts and airbags in the automotive industry to pushing for fire suppression systems as a part of building codes, the insurance industry has played an important role in identifying risk management standards for individual consumers and large corporations alike. A robust and functioning market for cyber insurance could play a similar role in identifying and regulating behavior to improve cyber risk management.

Today, the market for cyber insurance is failing to deliver on this potential. The reasons for this failure are varied. Insurers struggle to find underwriters and claims adjusters, the individuals charged with pricing and adjusting the price of risk, who understand cyber risk. Where talent exists, insufficient or inconsistent models for risk persist. Confounding these factors is the notion of silent cyber risk—the cyber risk inherited from other insurance offerings, such as general corporate liability or property and casualty coverage. All of these issues lead to a hesitancy on the part of insurers to assume meaningful amounts of risk that would define a healthy cyber insurance market.

Currently, the estimated worldwide value of cyber insurance premiums sits at $7.5 billion. For context, in 2017 property and casualty insurance premiums were worth $275.5 billion in the United States alone. Because insurers can either assume their inherited cyber risk with little threat to their overall solvency or pass this risk along to reinsurers in the form of derivatives, they have little incentive to push the entities they insure to manage that risk. For the insurance industry to effectively serve as a lever to scale up risk management, the industry must mature to supply products aligned with the demands of those seeking to buy them and must increase overall premiums to take on a meaningful amount of risk.

Some of this maturation will come with time, but the U.S. government is well placed to play the same role it has taken with other emerging insurance industries throughout history, facilitating collaboration to develop mature and effective risk assessment models and expertise. Cyber insurance is not a silver bullet to solve the nation’s cybersecurity challenges. Indeed, a robust and functioning market for cybersecurity insurance is not an end in and of itself, but a means to improve the cybersecurity of the U.S. private sector and the security of the nation as a whole in cyberspace.

Source: A Warning from Tomorrow

Related:

Was this article valuable?

Here are more articles you may enjoy.