The insurance sector has been underwriting cyber risk for about two decades and up until recently, it does not appear that most businesses have given much thought about how to offset cyber risk with a financial instrument like an insurance policy. When we combine this factor with a categorical misunderstanding about cyber risk, we have the ingredients for the perfect storm.
If you have seen the movie “Moneyball”, there is a great scene where Jonah Hill’s character (a statistician) is educating Brad Pitt’s character (GM for the Oakland A’s) on what a ball club’s goal should be. To paraphrase, “Baseball thinking is medieval. Your goal shouldn’t be to buy players.Your goal should be to buy runs.”
In mitigating cyber threats, your goal shouldn’t be to buy technology. Your goal should be to lower your cyber risk profile that ultimately improves your bottom line.
The reason I bring this up is you will see a continued theme in a lot of my posts that will suggest that merely relying on investment strategies in cybersecurity technology alone is a no win scenario. Like Captain Kirk from Star Trek, I do not believe in “no win scenarios”.
More money is spent on cybersecurity today than ever before and all indicators look to support that it will continue to increase. Data from the Atlantic Council conveys this increase. In less than a decade, we have seen greater than a 200% increase in the level of spending in the United States.
Conversely, we see a continued increase in the number of successful breaches with a more refined focus that yields the greatest financial impact (positive for the aggressor and negative impact on corporate bottom lines). In short, business owners are not improving their level of cyber risk in proportion to their level of spending.
In a recent OECD Report for the G7 Presidency during their May 11-13event this year, the following narrative was included, “Most governments have adopted national cybersecurity or digital security strategies. However, while these strategies aim at improving awareness about cyber risk, they do not always address cybersecurity as an economic and social risk management issue.” For today’s blog, I will focus on the economics of cybersecurity and how insurance plays into this. For years I have heard industry experts say, “You cannot show a Return on Investment (ROI) for cybersecurity.”.
When we look at the Potential Losses column on page 4 of the report, there are 21 types of losses that are consistent with the types of items a cyber-policy may cover. Utilizing a financial instrument like an insurance policy is critical to offset significant financial losses. Having said that, there are unique challenges in the underwriting of cyber. There are approximately 63 companies offering policies to cover cyber events with the majority of policies being underwritten by just six firms (AIG, Hartford, Chubb, Zurich, ACE, and Beazley).
These policies are generally written against data collected from questionnaires that reportedly (from those in cyber that complete them) offer little relevance in determining an actual cyber risk profile. Some questions include, “Do you have a firewall – Yes/No”. Or the carrier will want to know your annual corporate revenues as there is a belief that the higher your revenues, the higher your risk of a claim. So let’s examine this brief snapshot of the insurance review process.
1. Do you have a firewall – Yes/No
Not to be glib but if you answer “yes”, is it plugged in? Who configured it and what was that person’s qualifications? Is it monitored and if so by whom and how often?
2. Annual Revenues
Multiple sources highlight that greater than 60% of cyber insurance claims arose from small business owners. This appears to contradict the theory of the higher the revenues, the more likely a claim will be filed.
While I will not go so far as to say underwriting of cyber risk is “medieval” (to steal the Moneyball quote), there is a definite opportunity to improve based on the legacy nature of questions used in determining premiums, coverage, deductibles, and exclusions.
In the end, if you do not have insurance coverage to address the traditional ranges of cyber incidents, your total cost of ownership goes up. For those “experts” that advise you cannot show an ROI for cyber, my response is, “it is not relevant”. If I can show an option to lower your total cost of ownership and thereby improve your bottom line, that is an “economic” decision. This decision helps us move away from the no-win scenarios we are exposed to every day as it applies to gaining cybersecurity support and buy in from business owners.