Not that the question is even relevant, like it or not, cyber insurance is already here and will only continue to grow. The number of regulations that reserve the right to levy fines – some potentially astronomical – is growing to the point that they will feature large on any list of business risks. Or at least they should.
The challenges bringing this to market are numerous, but mostly on the insurance company side. Security is almost the definition of risk, it’s incredibly diverse, and forever changing and expanding. And not important enough yet.
With car insurance for example, the more cars you have in the road, the slower everyone has to go, so you actually REDUCE the risk. What once was a few very costly collisions, is becoming more fender-benders. So, just up your no-claims bonus and even those claims will reduce.
The more computers and smart phones on the Internet, the more data you have everywhere, and the risks grow almost exponentially.
How do you insure that? If you don’t know security well, how do you write the policies? How do you perform appropriate due diligence on a concept that’s new to everyone? How do you perform PROPER due diligence in the face of stiff competition?
There are policies out there already, but these have been driven by specific regulations (PCI, or HIPAA for example), are aimed mostly at the smaller organisations, and are very much off-the-shelf affairs with limited – in some cases VERY limited – due diligence. In fact, the pressure is on to make it as simple as possible or you’ll lose the deal; if your insurance company has a 12 page questionnaire, and your competition has only 1 (assuming price and T&Cs are the same), where will the buyers go?
Of course, the competition may end up regretting their stupidity later, but new insurance types are a very rare occurrence, and no-one wants to lose out on a revenue stream.
But what happens when VERY large organisations wish to insure themselves against the potential fines of the General Data Protection Regulation (GDPR), where 2% of global revenue is at stake? When multi-millions are on the line, a one page questionnaire that asks nothing about security will not suffice. What does that due diligence look like?
I believe it will run the gamut from some limited external vulnerability scanning in the case of smaller e-commerce, to an onsite audit in the case of a Fortune/FTSE 500. The better your security, the cheaper your policy. This may save pennies for smaller organisations, but would be of real significance to the larger ones.
However, I have always compared selling security to selling insurance; no-one wants to spend the money where there’s no positive ROI i.e. MAKING money. But the ‘negative’ ROI can be just as important, where not LOSING money on fines, forensics, reputational damage, client loss etc can be every bit as meaningful.
Now combine selling insurance FOR security, and you’ve lost almost before you start. That is of course until the costs of loss far outweigh the costs to insure.
Poor security drives the need for regulation, the regulatory fines will drive the cyber insurance market, which in turn will drive the security market. Eventually I would hope that organisation understand that they have brought this on themselves by not taking security and privacy seriously. Until they do, the burden of regulatory audit and the associated cost of mitigation will continue to rise in the face of public demand.
Regulation and cyber insurance are just symptoms of poor security, and as I have stressed many times, this is a cultural issue stemming from the senior managements lack of involvement and/or caring;
“Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [goal], its the CEOs fault, and no-one else’s.”
Replace “goal” with “low security overhead” and the rest is the same.
Sensing a theme here?
The CEO can single-handedly reduce the costs of security, I wonder why so few are paying attention…