Cyber Insurance Does Not Appear to be Improving Cybersecurity
A paper from Britain’s Royal United Services Institute (RUSI) “explores whether cyber insurance can incentivise better cyber security practices among policyholders, … [and] finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope.”
The important quote in this report is something I told insurers back in the early 2000’s when I was at Gartner: “The difficulties inherent in understanding cyber risk, which is anthropogenic and systemic, mean insurers and reinsurers are unable to accurately quantify its causes and effects.” OK, I didn’t use the term “anthropogenic” – I had to look that up: basically, it means “caused by humans.” My version: bad guys exploit vulnerabilities in people and software. There are no tables of material strengths for either people or software, thus human engineering and software engineering are oxymorons – they are not engineering disciplines and broad, rigid standards can’t be driven by insurance companies. The report’s number one recommendation is that “essential security hygiene” be mandated, in this case the UK Cyber Essentials which is similar to the CIS Critical Security Controls Implementation Group 1.
Cyber insurance is too new to expect it to affect business. At this point, insurance companies are experimenting with the product and collecting data to refine their business. I hope insurance companies will bring the same data-driven approach they use for other insurance products to cyber security in the future.
Purchasing cyber insurance doesn’t alleviate the responsibility to implement cyber security. The past year, with ransomware payouts by insurers, has been the first time they are operating in the red, so I expect insurers to either stop or modify their coverage for ransomware, or raise the bar by developing a cybersecurity “clean bill of health” (aka minimum standards) before providing coverage, as well as monitoring breach and incident notifications to ensure their insured clients are maintaining a healthy cyber security posture.
Read more in
RUSI: Cyber Insurance and the Cyber Security Challenge (PDF)