Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.
In 2014, Cyber Insurance saw record growth. In fact, in a recent white paper from Advisen, their buyer penetration index showed a five-fold increase in insurance purchases from 2006 to 2013, demonstrating that many organizations have recognized the value in outsourcing corporate cyber risk. Naysayers, however, warn that this move does not make companies more secure and allows organizations to ignore the behaviors and issues that are creating security risks in the first place.
This argument reminds me of the health care debate here in the U.S. Because of the skyrocketing costs of health care, many people have argued that making health insurance more affordable for low-income individuals would create a healthier population and lower overall costs for everyone. Supporters believe that having access to affordable preventative care and diagnostics means that health issues will be detected earlier and treated before they become a major concern. Recent studies have shown that health insurance does in fact make people healthier (when looked at over the long term), though it's yet to be seen how it will impact costs.
True, it’s not the actual policy that makes people healthier, but having the policy helps people adopt the preventative behaviors and take steps that will, in the long run, make them healthier. The case is similar with cyber insurance; people have questioned whether having this insurance can make a company more secure. Below I have outlined three ways that cyber insurance can improve the security performance of organizations:
1) Underwriting assessment process = exposing risks, correcting behaviors
Before an insurance policy is underwritten, there is typically an assessment process to uncover any hidden risks associated with the organization. While health insurance might be the only case where this is not true (in the US you can’t be denied coverage for preexisting conditions), for cyber insurance underwriting, applicants complete questionnaires and assessments that are beneficial for uncovering practices that are exposing the organization to cyber risks. Many insurers are starting to use objective, data-driven assessments like Security Ratings for this process, and in so doing are able to see trends over time for potential insureds and highlight performance and configuration issues in the network. They then require remediation of issues and use this information in deciding how to structure policy(ies). Some insurers, like Liberty International Underwriters, are even using ratings to be able to provide ongoing monitoring and alerts to their insureds, while others are offering the service as a benefit to their policyholders themselves.
2) Mass adoption = security standards
A challenge in network security is that there are no consistent standards across industries and geographies that will guarantee a certain level of security performance from company to company. Compliance regulations stipulate such behaviors in some cases, but they vary broadly between industries and state lines. As the federal government has alluded to in cyber legislation discussions, a baseline of acceptable practice will start to appear as more companies begin to adopt cyber insurance.
Whether policies will become mandated or just commonplace is to be seen, but either way, as cyber insurance becomes more broadly adopted, underwriters will be looking for ways to standardize their assessment process and make sure they are not taking on unacceptable levels of risk. In so doing, they will look at companies and their business ecosystems in comparison to each other and have expectations of baseline risk management practices that could in time become acceptable security performance standards.
3) Policy renewals, lower premiums = consistent, improved performance
As you may know from having car insurance, once you’re insured, you don’t want to do anything that will drive up your policy costs or make you lose your insurance altogether. Auto insurance companies recognize this behavior and offer safe driver discounts and reduced rates to drivers who take risk reduction precautions, such as installing a car alarm or parking in a garage rather than the street.
The same can be true for businesses with cyber insurance. No one wants to be breached, and through the assessment process and the renewal process, organizations will be motivated to take steps to improve their security performance – especially if continuous performance monitoring is being used. Underwriters may begin to reward their higher performing clients by offering better terms.
On the flip side of this, it’s not just insurers who are using Security Ratings to monitor their policy holders. We have also seen organizations use Security Ratings for Benchmarking to negotiate their own insurance policy and obtain discounts in their premiums by being able to demonstrate evidence-based performance metrics that provide context for how their performance compares to peers and their industry as a whole. This helps insurers understand the level of risk they are underwriting, and rewards companies with better performance and hygiene practices.
Overall, it’s not that simply having cyber insurance will make a company more secure. However, with mass adoption, I think it’s clear that one of the benefits will be more consistent standards for acceptable performance, as well as a better understanding of what good security hygiene is. As more companies seek policies, and underwriters look for objective ways to assess cyber risk, we will reach a point where security performance will improve as a by-product of both underwriters and policy holders wishing to reduce risk and save money.