Industry Perspectives

Cyber Insurance and Social Networks

online privacy issues

I hear many brokers say that cyber insurance is the fastest-growing product in the insurance industry today. While this could be true, its important to emphasize that cyber insurance should not be treated as a product, but as part of the continual security process.

Treating cyber insurance as a process means that it should have a flexible nature that matches the security exposure it is intended to underwrite. cyber insurance should attach directly to the assets it’s trying to protect, and be agnostic to the varied attack vectors at hand.

Cyber insurance isn’t a product – it’s part of the security process.

This is not a new concept but it needs to go one step further – it also needs to reward those policyholders that can demonstrate:

  • They are creators of threat intelligence to the benefit of the greater good – providing vaccinations to the entire ecosystem, especially those that are less fortified.
  • They stop events from cascading through the system providing dams to protect those downstream.

Aggregation risk can only be prevented if information/security sharing are table stakes, and insurance is treated as a process that ties them together to provide both security and financial incentives for action. The underwriter that can generate competitive differentiation is incentivized to have policyholders share information that then runs across their entire portfolio.

Paying it Forward and Backward

Those without strong security capabilities in place represent both the likeliest targets and the highest risk for successful attacks. SMB’s make up the backbone of the American economic system but they are largely floating on a security boat designed by security product vendors and applying the ‘hope and pray’ model. Those companies with strong hygiene are undone by the weakest link in the chain. Larger companies are paying the price for the insecure nature of their smaller business partners. In addition, larger companies are expected to carry the insurance that is sorely needed by smaller players.

The Insurance Social Network - Pay in knowledge or in Premium

Large and small businesses are connected like a social network – the degrees of separation between every business does not exist anymore; there is no separation, we are in this together. Small- and medium-sized businesses need a low-cost approach to managing their cyber risk; they can’t afford cutting-edge security and would buy insurance if it were affordable and useful. Larger entities need to cover third-party risk and would rather invest in security than in insurance. The most appropriate risk structure would a shared-risk model. Membership or premium for coverage should be in one of two forms:

  1. Cash premium
  2. Threat intel and distribution – real information sharing

A common underwriter represents the connection point between all these organizations to both collect and distribute intelligence that can immunize the entire ecosystem in real time, and the underwriter can earn a superior return because claims and aggregation risk is being actively managed. Linking threat intelligence customers as an ecosystem to a common underwriter, and having the benefits of this knowledge flow down to a population of policyholders, creates a sustainable business model.

Clients that utilize FireEye as a Service represent top-tier security capable clients, and they are subsidized via premiums paid by SMBs. SMBs are in fact paying an insurance premium but in fact are receiving threat intelligence and security capabilities, neither of which they have the budget or capability prior to securing insurance.

If small entities can’t integrate threat intelligence and respond to real threats, what’s the point?  They’ll look for whatever you tell them to. What they can’t afford is full-scale IT security departments and dedicated CISOs and CIOs and a daily waterfall of false positives.  If you tell them specifically how to protect themselves, you will get the desired results …or at least stop the cascading effect associated with aggregation risk, where one cyber risk rips through an population of organizations.

The insurance company’s role is to be the currency converter from data to premium – it does no good to protect yourself if all of your customers and suppliers are impacted. The entire ecosystem needs to be protected: not just the strongest links in the chain.

The Cyber Insurance Solar Powered Model

Consider those individuals who invest in solar power for their home.  Some would argue that the ROI on solar power is not yet there … the payoff is so far into the future, it expands beyond the homeowners’ likely ownership period. But people do it because:

  • They feel it is the right thing to do, both environmentally and socially
  • They actually get paid by the utility if they return energy back into the system

Why can’t insurance be managed on the same basis? Those who pay for and create sound security postures are sitting on a wealth of knowledge that would benefit their entire community. They shouldn’t have to pay for the security of others, but if they share this knowledge they should be paid it by those who contribute nothing in the way of knowledge, but are critical to the community’s overall health.

Designing a Community

The fundamental question becomes: will this model improve security across the entire ecosystem, and can it result in a sustainable business model?  The primary concern would be a catastrophic loss at the outset – damaging the insurance pool before it could be established. In addition, over time it would need to demonstrate a superior return, at least in terms of claims.

We have the ability and infrastructure to solve this problem if it’s done in concert. Having resources divided so unevenly across the economic ecosystem leaves security gaps that cannot be plugged fast enough. Insurance social networking is the key.