Despite grabbing policy makers’ attention, cybersecurity has seen very few policy measures adopted. Efforts to spur investments in cybersecurity have been modest and diffuse. Ex-ante obligations tend to be industry specific and avoid prescribing technical controls in favor of specifying organizational processes that must be followed. Organizations setting security budgets and deciding how much and where they should be spent must look beyond regulation.
Private governance influences how responsibilities and liabilities are aligned for organizations. For our purposes, this consists of nongovernmental entities creating rules and enforcement mechanisms that influence security decisions. For example, the Payment Card Industry Security Standards Council defines a standard for how merchants manage credit card data. This includes the annual validation of compliance with the standard and fines for noncompliance resulting in lost data. Enforcement power is derived from controlling access to payment card networks. Merchants must either accept the standard or ask their customers to pay by other means. The subsequent Payment Card Industry Data Security Standard (PCI DSS) is remarkably prescriptive in terms of how payment card data are handled, especially when compared with most public regulations.
The insurance industry provides another model of private governance. Ericson et al. analyzed how insurers attempt to control policy holder decisions to reduce the “moral risk” of policy holders who act recklessly. Insurance contracts define rules to be followed, insureds are assessed before the contract is signed, premiums rise and fall depending on insured characteristics and behavior, and claim-generating incidents are investigated. Although there is skepticism regarding its effectiveness, insurers can influence policy holder behavior up to the point that switching to another provider or operating without insurance is preferable. Such processes occurring “beyond the state” tie into a liberal theory of governance that de-emphasizes state responsibility.
Given the limits of public policy measures thus far, enthusiasm for insurance as a form of cybersecurity governance is growing. Public institutions in the European Union (EU) and the United States have published reports exploring how they can support the insurance industry in improving cybersecurity levels. The impact will increase as more organizations purchase policies. Allianz, for example, predicts the cyber insurance market will grow to US$20 billion by 2025, as identified by Romanosky et al.
Insurers face incentives to put mechanisms of control in place to reduce cyber losses. Scholars predict that the industry will increase security levels by offering premium discounts for more secure infrastructure. Talesh suggests insurers focus on reducing losses postincident by acting as the self-styled “quarterbacks of data breach response.” These claims about cyber insurance are based on intuition and insurers self-reporting. Establishing whether and how these mechanisms occur is necessary, especially given that policy makers are considering costly interventions to support the market. Government acting as the (cyber) insurer of last resort is frequently proposed, for example.
Cyber insurance was predicted to impact security behavior before any evidence was collected. In 2001, Schneier envisaged a world where every organization purchases network security insurance with discounts offered for security enhancing decisions such as replacing an insecure Windows system with a more secure version of Linux. The optimistic essay ends by suggesting “good security [will be] rewarded in the marketplace” as insurers recognize “computer security snake-oil peddlers.”
A 2008 report echoed Schneier’s vision of premium discounts as incentives, while also suggesting discounts could be used as security metrics. Security investments offering a bigger discount would be viewed as more effective. These discounts would be based on knowledge generated by aggregating claims data or even commissioning primary research. Despite the report being commissioned by a policy-making institution, the authors offered a wait-and-see conclusion regarding possible policy measures in support of the market.
Although these arguments are intuitively appealing, a review of cyber insurance in 2010 revealed that “positive expectations about cyber insurance have not been analyzed rigorously.” Informal conjectures claimed the insurers would impact security levels or generate knowledge without any corresponding parameters or model features. If this was a criticism of theoretical research, their observations of empirical research went even further by stating “we are not aware of any quantitative empirical work on cyber insurance markets.”
Yet policy makers in the United States and the EU latched onto the idea that insurers can incentivize better risk management. Reports released from 2012 onward by public institutions in the United States and the EU suggest that insurance contracts will contain “prescribed security controls and procedures” that the policy holder must implement for coverage to be valid. All of the private governance mechanisms covered in this section were discussed at some point; however, these reports were largely based on individual views of the market, not empirical findings.
Talesh explored the topic by collecting evidence from industry conferences, educational webinars, and marketing documents. This self-reporting by insurers supports the conclusion that insurer-sponsored help is greatly appreciated by organizations. The article concedes that suggesting this leads to a net benefit is premature, especially given that Talesh admits the value of these insurer-sponsored risk management services remains an open question.
The following is a list of mechanisms by which insurers are claimed to affect cybersecurity:
Before policy makers endorse insurance as an effective form of governance, we should evaluate these claims by collecting empirical evidence.
We conducted nine interviews with underwriters operating in the Lloyd’s of London market, which sells insurance to international clients. We also considered the findings of several empirical studies. Romanosky et al. analyzed 235 regulatory filings regarding cyber insurance policy terms, application forms, and pricing algorithms. Woods et al. mapped the security controls found in 24 cyber insurance application forms to two popular information security standards. Franke conducted interviews with 15 insurance professionals based in Sweden. Axon et al. analyze 70 cyber insurance claims.
Application forms collect information relevant to information security confirming that insurers assess security (C1). Which aspects of security are measured is a more interesting question. A study of 44 applications forms found “only very rudimentary information is collected” about technical infrastructure. Further, many forms do not collect any information about entire sections of popular information security standards.
Often these forms are not even filled out because brokers push underwriters to assess larger clients based on market meetings. Multiple underwriters ask representatives of the insured questions about IT architecture and security measures over the phone. Interviewees reported questions going unanswered, with one suggesting that insurance can be purchased without naming “who your dependencies [sic] are,” thus undermining the insurer’s ability to monitor vendors.
Results from the Swedish interviews suggest that implementing security controls and procedures leads to premium discounts (C2); however, many Swedish insurers do not actually put this into practice, stating that discounts suit bigger clients better. Our U.K. respondents offered discounts based on a holistic view of an applicant’s security but cannot quantify the effectiveness of a security control in isolation. One interviewee suggested accreditation to standards does not lead to a massive discount, while another said, “… it is not like a 10% discount if you take good logs.” A separate interviewee suggested that discounts for IT security were coming down because “more of the issues are coming out of procedure.” Romanosky et al. found that 45% of pricing algorithms filed with U.S. regulators did not even consider information security.
Organizations face little additional incentive to comply with the security policy once a policy has been purchased (C3). The most commonly observed exclusions were not necessarily directly related to the cyber realm. The exception proves the rule in “Columbia Casualty Company Versus Cottage Health System,” in which an insurer denied coverage because the insured used factory default system configurations and systems in which security patches were no longer even available, much less implemented, despite representing otherwise in the application. This was the first such case, and it was widely believed that these terms should have been negotiated out of the contract, which suggests that insurers cannot punish policy holders for flaunting basic security procedures.
Insurers are more likely to exclude types of losses or causes of incidents. Famously, one insurer excluded coverage for the NotPetya attack claiming it constituted a “hostile or war-like action,” which had already been identified as a potential issue by Woods and Simpson. Although this legal case relates to a property insurance policy, cyber insurance policies contain similar exclusions, but none have been enforced thus far. Romanosky et al. observe that “almost half” of the policies in their sample exclude losses related to extortion or ransom. Many of the analyzed policies were written before ransomware become widely used by cybercriminals, prompting many interviewees to update their policies to reflect this.
All of our interviewees supported the view that postincident services (C4) reduce losses. Axon et al. showed that lawyer services and breach counsel are the most common expenditures related to cyber insurance claims, indicating that insurers do indeed provide these services. There is, however, a potential conflict of interest when the insurer chooses the provider. This forces a choice between acting to minimize the client’s losses or the insurer’s indemnity payment. For example, a public statement might be seen favorably by regulators when considering the size of a fine, which the insurer would indemnify, while also causing reputation damage, which the insurer would not indemnify.
The preceding evidence could result from an immature market. Insurers may first need to generate knowledge and understand the market (C5). One insurer discontinued a subsidiary conducting loss research into information risks in the early 2000s, and we are not aware of any similar insurance industry-sponsored R&D outfits. Increasing understanding by aggregating claims data is limited by inconsistent data collection in an unstandardized format; however, the individual underwriters we interviewed were admirably committed to learning about information security via formal courses, news reports, academic articles, and other such resources. This focus on education is extended to clients. One interviewee’s firm offered an online cybersecurity awareness platform and monitored how often the insured party used it, which was deemed to be an effective way to gauge culture.
Unfortunately, this does not seem to be translating to innovation in policies or underwriting methods. Studying policies from 2007 to 2017 did not reveal any substantial changes in policy length, style, or composition over time. Only 15% of 395 insurance professionals responding to the 2017 Advisen cyber insurance market trends survey reported that systemic events such as the Dyn distributed denial-of-service attack or the WannaCry Ransomware event had a moderate or significant impact on underwriting, with 45% reporting no impact whatsoever.
The evidence indicates that today’s cyber insurance market is not fully delivering on its predicted governance functions, with security obligations in contracts particularly lacking. The following section explores why this is the case.
The lack of focus on security posture during the risk assessment could be explained by a phenomenon observed by Woods and Simpson. Here, brokers directed applicants toward insurers with the least stringent application procedures, creating a “race to the bottom” in risk assessment. Many respondents want the market to harden, that is, move away from an oversupply of insurance, so that insurers can begin asking tougher questions and start demanding concessions from the client. Woods et al. collected evidence suggesting that cyber insurance premiums in the Californian-admitted market are falling, with the latest data point occurring in 2019, indicating that the oversupply of insurance will continue.
The Payment Card Industry Security Standards Council has sidestepped this problem by the card providers jointly developing a standard and ensuring providers do not deviate from enforcement. Such an approach by insurance carriers would likely violate competition laws.
We are yet to see evidence that indicates insurers can directly improve security via premium discounts. The cost of most security controls dwarfs the benefit in terms of reduced premium, which suggests discounts only provide incentives to invest at the margin. Furthermore, insurers do not provide discounts based on individual controls, but rather, due to a holistic view of security. Insurers offering discounts for security controls already in place is different from offering discounts as an incentive to implement security. The latter is akin to suggesting that cinemas encourage pursuit of higher education by offering discount ticket prices to students.
It is natural to ask why insurers would offer greater incentives to invest than what are currently available. A rational insured would already have a cost-effective security control in place; this is because security controls accrue more benefit to the insured than the insurer, given that insurers only cover a subset of the potential losses. A counterargument focuses on interdependent security in which security controls provide security for other policy holders in addition to the one who makes the investment. This means that the insurer is uniquely placed to internalize the positive externality and would do so by incentivizing security. It is an empirical question whether the benefits from interdependent security will overpower the insurer covering a subset of the potential loss. It is worth noting that none of our interviewees mentioned interdependent security, likely because it is a concept more associated with academic discussions.
Exclusions (such as withdrawing coverage if security patches are not applied) are mysteriously absent in insurance policies. One explanation for this could be broker commission, which tends to be a percentage of the premium. This incentivizes negotiating for broader coverage with fewer security obligations rather than for a lower price and more security obligations. Another explanation could be that insurers recognize that the implementation of security controls is imperfect, and they want to assure their clients that they will pay out claims in the event of a breach.
Once again, the comparison to PCI DSS is instructive: in nearly all high-profile thefts of payment card data, investigators have retroactively found the affected firms to be noncompliant with PCI rules and therefore subject to penalties. This has weakened the incentive to spend the resources necessary to become compliant in the first place. Additionally, insurers do not wield nearly as powerful a stick as does the PCI council, which can suspend acceptance of credit card payments. It therefore seems reasonable to offer broader coverage to attract customers in a competitive marketplace.
In other words, customer relations matter a lot. Cuthbert Heath famously offered to pay all claims in full following the 1906 San Francisco earthquake without auditing the claims. Insurers may pay claims from organizations that are not currently following security procedures so as to maintain trust in the product, which is essentially a promise to pay out. Yet the lack of security obligations could lead to moral hazard polluting risk pools, in which bad risks joining the risk pool increase expected losses, with these costs absorbed by the customers following such procedures.
Postbreach services are the success story of cyber insurance. Insurers provide these services because they reduce incident costs that insurers would have to otherwise indemnify, whereas risk mitigation leads to benefits in terms of attacks (and therefore claims) avoided, which is more difficult to observe. Monitoring risk mitigation measures is costly, and the potential for misconfiguration undermining efficacy is great. Alternatively, security vendors have not been able to demonstrate that their products reduce losses, unlike, say, manufacturers of fire doors in property insurance.
The lack of change in policy composition over time could result from innovation not tracked by the regulatory filings analyzed by Romanosky et al. Underwriters pursuing further education and independent research leads to better decisions without formal documentation. It is also possible that requiring insurers to file when they update policy wording or prices is dampening innovation.
We next consider what might change in the future.
A fundamental question for cyber insurance is whether it will even exist a as distinct offering in the future. Presently, a considerable proportion of traditional policies do not affirmatively include or exclude cyber coverage. The resulting ambiguity is known as silent cyber. The industry is currently moving to remove this ambiguity by using exclusions.
Multiple interview participants expressed the opinion that cyber risks will be affirmatively included in traditional lines of insurance. This future considers cyberattacks as a peril, not unlike fire or workplace accidents. Traditional losses caused by cyberattacks or cyber liability assigned by courts would be realized as in the noncyber equivalents. This would mirror environmental liability insurance, which received much attention as stand-alone coverage in the 1980s but is not widely purchased.
A contradictory future sees cyber insurance emerge as a stand-alone product that every organization purchases. It would cover all losses resulting from cyberattacks, including ransom demands, liability, and business interruption. Differentiating risks in this way helps insurers address problems such as adverse selection and moral hazard. Additionally, cybersecurity expertise could be concentrated, with insurance professionals selling stand-alone cyber insurance.
If cyber insurance is absorbed into traditional lines, the private governance effects will be more diffuse. It is an empirical question whether this is more effective for changing security practices. In one respect, individual underwriters will have less specialized expertise in conducting in-depth cyber risk assessments or issuing security advice. Conversely, cyber risk may be integrated into organizational risk management on a footing equal to other risks, potentially leading to more resources being allocated to cybersecurity.
In large part, this debate stems from the lack of clarity in the term cyber insurance. Böhme et al. suggest differentiating coverage by the type of asset and the means of risk arrival. Cyberthreat insurance, which covers physical losses causes by logical attack, could be absorbed into traditional lines. Offering coverage for information assets may be more difficult. It is worth noting that the industry response to “silent cyber” has generally been to exclude losses caused by logical attack and offer coverage under stand-alone cyber insurance coverage.
Another question concerns the depth of risk assessment. This could shift if policy holders with stronger security postures recognize that the lack of a rigorous risk assessment pollutes risk pools. Uniquely, buyers with a strong security posture relative to other buyers should seek out insurers conducting in-depth risk assessments. The time cost of communicating information about security posture results in better risk selection and fewer claims for the insurer to pay, which should translate to lower premiums. Brokers are well placed to lead this change because they understand which insurers conduct rigorous assessments. It may not be in a broker’s self-interest because communicating this information requires more of the broker’s time, which is not rewarded as they are paid by commission.
Insurers refusing coverage for organizations that flaunt basic security procedures (such as using default system configurations) should be applauded for preventing moral hazard from polluting risk pools. Policy holders who follow basic procedures must cross-subside otherwise. However, there is a fine line between requiring a basic security level from insureds and withdrawing coverage to avoid paying out on claims. An entity should monitor this, whether that be a regulator, broker, or consumer group.
The presence of security obligations in contracts touches on the general lack of standardized policy wording. Industry bodies or regulators could force more standard contracts. Consumers would benefit from standard policies that allow for comparisons of insurer product offerings. Insurers, however, would be restricted in their ability to innovate in response to the dynamics of cybercrime.
Brokers are the primary beneficiaries of the current nonstandard market. They earn commission by reducing transaction costs for organizations looking to buy insurance. The diversity of products increases the value of specializing in assessing and negotiating the terms and price of cyber insurance policies. The race-to-the-bottom effects are likely to remain as long as insurers rely on intermediaries to sell cyber insurance products, which undermines insurance as governance.
Power charted the rise of risk management and its impact on organizational life. The concept of operational risk, to which cyber risk contributes, emerged from the financial sector. Power suggested that the actuarial base for operational risk insurance must be suspect due to the low frequency of events. Examining how the actuarial base might be built, historic claims data were sought.
The majority of the market is open to sharing while a few insurers see claims data as their competitive advantage. Unfortunately, these insurers also tend to hold most of the data. The value of claims data could tilt the market toward a natural monopoly that can only support a few dominant firms. The next best thing is databases that aggregate all publicly reported incidents. These will continue to grow over time but are limited by reporting biases; incidents related to availability or integrity, which tend not to compromise personal data, do not fall under mandatory reporting laws.
The actuarial base is further undermined by tension between long-term analytics and short-term expediency. An interview participant suggested proposal forms that provide standardized data collection could lead to an “analytic database,” but that large companies are moving “more toward meetings and calls.” This trend could see cyber insurance descend into an art based on the ad hoc judgment of underwriters. Many participants were optimistic about “security scorecard science” providing an objective basis for analytics, which involves collecting data by scanning externally facing nodes on the applicant’s network to provide a single score, much like a credit rating.
Power’s account of reputation risk provides a cautionary tale for standardized risk assessment, such as security scores. External agencies created evaluation metrics that cannot be challenged by the organization under evaluation. The criteria of these metrics were internalized over time, displacing values linked to the organization’s particular context. This may result in a suboptimal use of resources by emphasizing externally observable controls over more effective ones.
The suboptimal allocation of resources might also result from micropolitics within the organization, which is empowered by cyber insurance. Departments such as IT and human resources may compete for responsibility and resources regarding risk management. If the application forms value legal compliance over technical infrastructure, as seems to be the case, the legal department may use this to justify taking responsibility away from the IT department. Insurers focusing on process could result from the “streetlight effect,” rather than what is optimal for the organization.
The relationships between insurers and security service providers is troubling. Insurers revealed that they received advice in exchange for recommending the vendor to their clients, sometimes even requiring insureds to use that vendor’s services or products. Beyond the anticompetitive aspects, we should question the role of commercial interests in providing this advice. It could be warping the underwriter’s view of what constitutes an effective security investment. One might also question the social desirability of the most common claims costs going toward professional services rather than restitution for victims, who often have little control over their data.
The potential for correlated cyber losses is intimately linked to how claims costs arise. Axon et al. describe evidence indicating that data breaches, ransomware, and noncompliance with legislation are the most common triggers of cyber insurance claims. Data breaches rarely correlate across companies, and costs assigned by courts are bounded by the judge’s sense of proportionality, although insurers have fallen victim to political judgments assigning costs to those deemed to have the deepest pockets in the past.
Ransomware incidents are different because many claims can result from the same underlying cause, as evidenced by the NotPetya attack. Incidents occurring independently, such as data breaches, can be absorbed by risk pools; however, correlated incidents pose an existential threat to the risk pool. The increasing prevalence of ransomware claims and their increased solvency risk may force insurers, possibly led by reinsurers, to influence cybersecurity levels in a way that we have not seen thus far. But we should be cautious given the number of false dawns observed heretofore.
Anxiety about aggregated or correlated losses will not abate until network complexity is reduced. Doing so would fundamentally reshape modern economies. Insurers instead try to track service providers as a point of correlated risk accumulation. If the market began to harden, they may be able to select or incentivize insureds to create more diversity and resilience.
Alternatively, the industry may move toward excluding coverage for systemic attacks. Poor communication in doing so undermines consumer trust. Criticisms were leveled following the NotPetya attack because the threshold for cyber war is ambiguous. Many of these criticisms were unfair given the policy in question was not sold as cyber insurance. Nevertheless, court battles are an expensive way to clarify expectations.
Insurers may instead lobby the government to become the reinsurer of last resort. There are precedents, such as with flood and terrorism insurance and the many different forms this can take. Proponents suggest that these losses are caused by states failing to protect companies from other nation-state attacks. Detractors ask why taxpayers should cover the tail risk of private companies when they fail to comply with basic security procedures, such as patching the vulnerability behind the NotPetya attack.
Recalling why governments provide a backstop for flood and terrorism coverage is important for evaluating this policy measure. Reinsurers began excluding terrorism-related losses following events in the United States and the United Kingdom, leading to reinsurers withdrawing coverage. It was argued that insurers would not offer policies to consumers unless a government backstop was provided. In contrast, policy reports have identified a lack of demand in the cyber insurance market, which cannot be solved by supply-side measures such as government backstops. This policy measure should be shelved until an undersupply of cyber insurance is identified.
Policy makers have long held high hopes for cyber insurance as a tool for improving security. Unfortunately, the available evidence should give policy makers pause. Cyber insurance appears to be a weak form of governance at present. Insurers writing cyber insurance focus more on organizational procedures than technical controls, rarely include basic security procedures in contracts, and extend discounts that only offer a marginal incentive to invest in security. However, the cost of external response services is covered, which suggests insurers believe ex-post responses to be more effective than ex-ante mitigation. (Alternatively, they can more easily translate the costs associated with ex-post responses into manageable claims.)
The private governance role of cyber insurance is limited by market dynamics. Competitive pressures drive a race to the bottom in risk assessment standards and prevent insurers from including security procedures in contracts. Policy interventions, such as minimum risk assessment standards, could solve this collective-action problem. Policy holders and brokers could also drive this change by considering insurers who conduct rigorous assessments. Doing otherwise allows adverse selection, and moral hazard will increase costs for firms with responsible security postures.
Moving toward standardized risk assessment via proposal forms or external scans supports the actuarial base in the long term. But there is a concern that policy holders will succumb to Goodhart’s law by internalizing these metrics and optimizing the metric rather than minimizing risk. This is particularly likely given that these assessments are constructed by private actors with their own incentives. “Search-light effects” may drive the scores toward being based on what can be measured, not what is important.
Systemic risk has a number of possible futures. Organizations may have to accept liability as insurers exclude the risk. Governments may step in to offer reinsurance, although we caution against doing so until an undersupply of cyber insurance is observed. Otherwise, insurers may demonstrate leadership by encouraging diversity in technology and service providers to reduce systemic risk.
