Insurance industry: mechanics, challenges, and the role in accelerating the maturation of cybersecurity
Looking at factors that make cyber insurance a unique area of risk and seeking ways in which insurance can help speed up the maturation of security
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Fundamentals of insurance as a business
The insurance industry goes hundreds of years back, and its impact on our modern society is hard to overestimate. At the core, purchasing insurance is an act of transferring the potential risk of losses to an insurance firm in exchange for a premium. The business model of insurance is often misunderstood as many people assume that companies in the industry make money by increasing the difference between what they charge (premiums) and what they pay (claims). That is only partially true. Insurance is essentially an investment institution that heavily relies on modeling probabilities: it estimates the probability of the risk occurrence and the maximum amount it stands to lose, prices its coverage to reflect the level of risk the company is taking, collects money (premiums) from the policyholders before the risk event happens, invests all this money, and when claims happen - covers the losses up to the previously specified maximum.
Because insurance collects premiums today, and the potential claims will happen tomorrow, it sits on a large pool of capital called float. The way insurance makes most of the money is by reinvesting the premiums into other interest-generating assets. I think the best explanation of float comes from a person who, thanks to the understanding of its mechanics, became one of the richest people on the planet - Warren Buffet. In his 2010 letter to Berkshire Hathaway shareholders, Buffet explains:
“Insurers receive premiums upfront and pay claims later... This collect-now, pay-later model leaves us holding large sums - money we call "float" - that will eventually go to others. Meanwhile, we get to invest this float for Berkshire's benefit…”
“If premiums exceed the total of expenses and eventual losses, we register an underwriting profit that adds to the investment income produced from the float. This combination allows us to enjoy the use of free money - and, better yet, get paid for holding it. Alas, the hope of this happy result attracts intense competition, so vigorous in most years as to cause the P/C industry as a whole to operate at a significant underwriting loss. This loss, in effect, is what the industry pays to hold its float. Usually this cost is fairly low, but in some catastrophe-ridden years the cost from underwriting losses more than eats up the income derived from use of float…”
Industry in process of transformation
Cyber insurance is one of the newest types of coverage now available to individuals and corporations in most developed markets. In recent years, we have seen a change in attitude towards offering cyber insurance: from excitement about this space to massive increases in premiums and decisions challenging the value of cyber policies as we know them. On August 16, 2022, Lloyd’s of London released market bulletin Y5381, a formal directive to its syndicates to implement cyber war exclusions and changes to the state-backed cyberattack coverage.
The reason for all these decisions is straightforward: due to the rising number of cyber attacks, cyber insurance providers have been losing a lot of money. Many factors have led to this outcome, including the obvious - the rise in cyber attacks and ransomware, the lack of understanding and adherence to proper cyber hygiene, and the rapid adoption of hybrid work arrangements changing the definition of companies’ “perimeters” and amplifying the impact of the first two. While all this has no doubt caused massive losses for cyber insurance providers, that is not the full story.
Concepts important to understanding risk
Insurance is similar to a highly regulated casino in that it needs to understand the probabilities and potential outcomes to price and make a bet. People doing the modeling - actuaries - look at large volumes of data to understand and quantify, among other things, the factors that impact the probability of the risk occurring, the factors that impact the magnitude of losses, and the degree to which the potential losses may be correlated.
In many industries, understanding the factors that impact the probability of the risk occurring is relatively straightforward as we have decades, and sometimes even hundreds of years of data. Intuitively, we understand that a house with a fireplace is much more likely to catch fire compared to one without. The insurance company, on the other hand, knows the exact probabilities of that happening on its own, but also when taking into consideration all the other factors: the material the house is built of, the type of fireplace, whether or not there are children living at the place, etc. Importantly, the list of factors is predictable, well understood, and finite: something random like a pair of sunglasses on the shelf does not have any impact on the probability of the house catching fire.
The magnitude of losses and the risk limits are also very well understood. For example, if a car was to hit a group of pedestrians, it is very unlikely to cause the death of 100,000 people. There is enough data for an insurance company to say how likely it is that a 35-year-old male who has been driving to work and back for 15 years, is married and a father of two will get into an accident, and what the potential magnitude of loss could be.
Lastly, there is the question of correlation. Correlation in this context means the likelihood that a loss in one place will lead to a loss in another. For example, in a neighborhood where all homes are built of flammable wood and are located a foot from one another, potential fire losses would be highly correlated as a fire in one building would easily start a fire in another, and so on until the whole area burns down. On the other hand, a sewage backup in a New York condo is not at all correlated with a sewage backup in London. The concept of correlation is incredibly important for insurance because insuring highly correlated risks creates a potential for a catastrophic loss resulting in a massive number of claims which would face the company into bankruptcy. This is why the same insurance company would not typically provide earthquake insurance to all homes in the same area. Note that there are some other instruments available to insurance companies for reducing the correlation such as reinsurance, but for this discussion let’s keep it simple.
Factors that make cyber insurance a unique area of risk
It is often said that cyber risk is unique because, unlike other types of risk, there is not enough data available to model it. That is true, but there is more to it. Let’s briefly evaluate cyber along the same three parameters we’ve covered in the previous section: the factors that impact the probability of the risk occurring, the factors that impact the magnitude of losses, and the degree to which the potential losses may be correlated.
The probability of cyber risk occurrence, and most importantly - the factors leading to it are not yet well understood. Intuitively, we understand that having security training is going to reduce the chances that someone will click on a phishing link, but with attackers becoming better at social engineering, it is getting increasingly harder to assume that tomorrow’s threats will look like yesterday's “Nigerian prince” email scam. Many companies that get breached do have written security policies in place, are “compliant” with different frameworks, and have some (and often - “best-of-breed”) security tooling like extended detection and response deployed in their environment. With the ever-growing number of attack vectors, it becomes next to impossible to shortlist the factors that matter as they all do. Every account can be compromised. Every email can be a phishing attempt. Every piece of hardware and all software contains vulnerabilities that can be discovered and exploited at any time. Modeling anything in these circumstances is not a simple exercise.
The list of causes that could lead to a fire is well understood, and because there is always smoke, we know the probability of catastrophic outcomes can be reduced by installing a smoke detector. We also know that fire behaves the same way every time, so to mitigate the results when the risk occurs we can have sprinklers, and the ability for a fire department to get notified quickly. In cybersecurity, there are thousands of ways an attacker can get it, and it can take a long time for the compromise to get discovered. Providing one size fits all product recommendations beyond the basics like password managers and MFA is not effective as every digital environment is different, and requires different approaches to secure it.
Next, let’s look at the magnitude of losses. When a ship sinks, the total loss will be equal to the sum of the loss of cargo, any loss of life if some people were not able to escape, the cost of rebuilding or buying a new ship, and so on. Estimating the size of the loss in cybersecurity is much harder. Technology is interconnected, and we have seen what happens when an important component gets breached - think of SolarWinds, or Kaseya. Another example is when a large Ukrainian financial software company MeDoc got hacked and ended up pushing out the NotPetya malware to thousands of its customers. In cases like this, the magnitude of losses can be insurmountable as the company that failed to protect its networks can fold under the pressure of lawsuits from others that suffered because of it. It’s worth noting that to address cases like this, every insurance policy has a policy limit - the maximum amount above which the insurance company will not pay, regardless of what the total loss is.
The same problem of everything being interconnected in invisible ways makes it impossible for cybersecurity insurance providers to decorrelate potential losses. This is probably the biggest issue of all three as it prevents the ability to avoid disaster events. One thousand businesses from all over the country operating in different industries are very unlikely to catch fire or get flooded all on the same day. However, it is entirely possible that most or even all of them would suffer from the same ransomware attack encrypting data and rendering their computer networks unusable.
It is worth calling out the problem of perception as well: while there is currently an understanding that anyone can get into a car accident and anyone’s house can catch fire, cybersecurity is still perceived as something unlikely to happen to most people and companies. This is predominantly because we have not had the same levels of education about information security as we had over decades about other risks. Another factor contributing to the awareness gap is the fact that victims of cyber attacks are invisible: while we are used to seeing fire tracks, police, and ambulance cars daily, most people (for now) would say “no” when asked if they know someone who became a victim of the cybercrime.
Insurance’s role in the maturation of security
Advantages of insurance over government regulations
Unlike the government, which typically requires years of discussions, consultations, and public hearings to make a decision based on citizen involvement and societal consensus, the insurance industry is much more flexible and able to move fast.
Instituting any long-lasting regulation by public bodies requires considerable investment to ensure enforcement, and even in case of success, it has the potential to turn into “box-ticking” as the government cannot design appropriate incentives for positive behavior. Insurance, on the other hand, can encourage the adoption of security standards by leveraging its existing underwriting mechanisms and providing tangible incentives in the form of access, cost savings, and better policies.
It’s worth noting that insurance cannot be seen as an alternative to government regulations, but rather a more flexible and agile complementary instrument.
Establishing incentives for improved security
Because insurance providers have the incentives to reduce the number of claims, as well as the total amount they are required to pay when the claims occur, they are well-positioned to become advocates for establishing solid cybersecurity practices. Insurance companies have access to cybersecurity talent, insights into the details about the organization’s security posture obtained during policy underwriting, and information about claims from businesses with similar cyber hygiene habits. All this equips them to recommend improvement plans to companies that can benefit from implementing additional measures to strengthen their security posture.
Additionally, insurance providers can continuously raise the bar required for companies to become eligible for cyber coverage, therefore forcing the maturation of security practices across different industries and geographies.
Educating people and businesses about the importance of cybersecurity
The insurance industry has all the incentives to lobby for national and international educational campaigns about the importance of cybersecurity. It is easy to forget that the majority of the safety measures we are taking for granted are a result of decades-long campaigns, often by the public sector and insurance companies working hand in hand. In the early 1980s, for example, only about 14 percent of people wore seat belts when driving, many citing reasons like personal freedoms and inconvenience. Fast forward to 2023, and few of us would be comfortable driving without this simple safety feature.
In collaboration with the government and other industry participants, cyber insurers can help educate people about cyber risks and ways to manage them effectively. The industry collaborative effort isn’t easy as companies with solid underwriting practices in the segment see it as their competitive advantage. However, the industry as a whole will benefit from increased cybersecurity maturity, hence why it is worth doing.
Facilitating cross-border cyber knowledge sharing
Cybersecurity is a global challenge, therefore it can only be effectively solved in the global arena. We have seen plenty of evidence that international organizations, while critical for peacekeeping and societal dialogue, cannot make important decisions quickly. Governments, on the other hand, have limited power outside of the nations they oversee, while diplomacy and international relations are, similar to intergovernmental NGOs, not suitable for rapid problem-solving.
Insurance markets operate across borders, and companies in the industry have the ability to move quickly. Most importantly, the incentives of insurance companies issuing cyber coverage policies across the globe are well-aligned, which creates a perfect opportunity for collaboration. Cyber insurance providers have an opportunity to facilitate knowledge-sharing and the establishment of cybersecurity best practices on the international level.
Insurance and standardization of security
Among the challenges of underwriting cyber losses are the absence of mandatory industry-wide standards and the complexity of quantifying cyber risk. There have been some initiatives designed to address these issues: UL Solutions, a global leader in applied safety science, is now offering services around cybersecurity, Cyber Catalyst by Marsh attempts to assess how different security products address cyber risks, while the FAIR Institute, a non-profit professional organization dedicated to advancing the discipline of measuring and managing cyber and operational risk, has been working on trying to quantify cyber risk for around a decade. These are early but important efforts in the right direction.
The UL (Underwriters Laboratories) certification is a particularly interesting example. The stamp of approval issued to electrical devices such as lamps by the Underwriters Laboratories, known as a UL listing, means the product has been tested for fire and electrical safety. While no law in the US requires UL certification, commercial building and electrical codes, as well as wholesalers and retailers, often ask for it. Furthermore, the insurance companies want to see appliances tested and certified by UL to reduce the risks they take on. The UL model, if implemented in cybersecurity, would ensure that hardware and IoT manufacturers, for example, build minimum levels of security into their products.
Instead of having the government look for manpower to enforce the standards, it can be done by the market with insurance companies playing a critical role. Continuing with the IoT example - assuming a standard for IoT security can be developed and adopted, a UL-like body could verify the adherence of different vendors to this standard, and insurance underwriters would then start requiring that businesses buy certified models if they want to obtain insurance at competitive rates. This exact model has worked tremendously well in the car industry, where insurance companies pushed the adoption of ESP (Electronic Stability Programme) which is now a de-facto global standard.
Insurance can become a critical instrument in helping establish minimum security standards and increase cybersecurity maturity. It’s worth emphasizing that implementation of standards cannot turn into a well-intentioned, compliance-like “box-ticking” exercise: establishing the ability to measure the effectiveness of different controls will be critical.
Anticipating the evolution of cyber insurance
Why cyber risk cannot become uninsurable
There has been a lot of talk in the industry that cyber risk is becoming uninsurable. While it is tempting to come to that conclusion as we see the premiums rising and some providers exiting the market, I think it is an oversimplification that misses the bigger picture.
As technology now underpins every area of our life, cyber can't become uninsurable. The opposite is true: every risk in the near future will have a cyber component. Think of this: in the decade to come, we will see hackers break into pacemakers and other medical devices, interrupt flights and surgeries, mislabel organs and send them to the wrong recipients, remotely start fires and cause car crashes, to name a few. With that, flight interruption, health, fire, liability, and auto policies, to name a few, will all have cyber-focused clauses.
When we hear that “cyber is uninsurable”, what it really means is that what we are doing today is not working. Because ten years from now every insurance will be cyber insurance, I think the idea that insurers will exit the market to avoid losses is not reasonable. Instead, insurance has the potential to shape what the future of cybersecurity will look like. I have previously discussed how innovation like continuous underwriting to assess ever-changing risk profiles and bundling cybersecurity with insurance is starting to change the outlook of the space. Here, I would like to instead focus on the broader picture.
Cyber insurance providers have the financial incentive to know what’s happening in cyberspace and how companies can reduce the probabilities of loss as well as the magnitude of the loss impact. In the next few decades, cyber insurance has the potential to become the catalyst for the maturation of security practices.
Importance of continuous underwriting
Cyber insurance underwriting today relies on an imperfect, static view of the organization’s security posture at a single point in time. Even if accurate at the point of assessment, a second later the environment would have already changed - a new user joined, ten new containers spun up, and so on. Additionally, the insurance questionnaires lack granularity and precision: while the answer to the question “is the MFA enabled?” might be “yes”, it does not provide enough details - is it enabled in every device, or is there a chance that the CEO has disabled it to avoid the hassle? Because cyber risks are always changing, insurance of the future will need to rely on continuous underwriting - the ability to adjust premiums in real-time based on changes to the organization’s security posture. Continuous underwriting, therefore, can build in the incentives for policyholders to patch their systems and perform other maintenance work on time, to unlock savings on insurance premiums. Continuous underwriting may be much harder to implement in the SMB market where clients are unlikely to agree to take on the hassle unless there is a significant incentive (similar to telematics in auto insurance – very hard to get adoption).
Time limits for claim submission
Most insurance companies have time limits within which the policyholder must submit their claim, which usually varies from 90 days to 12 months from the date of the event. Because it can take a year or longer for organizations to learn that they have been breached, insurance companies are likely to limit the maximum amount of time that can pass between when the breach event and the time the claim is filed. This, in turn, will force businesses to become more proactive in understanding their security posture and complementing their detection capabilities with proactive threat hunting. If a company didn’t notice a breach for two years - it will be forced to bear the consequences alone. This is a common insurance practice and I can see it becoming more and more commonly enforced in cyber policies, although insurance brokers will be pushing back very hard on this.
A moral hazard problem
A moral hazard is a situation where an insured lacks the incentive to guard himself against risks because of perceived protection against negative consequences provided by the insurance.
Moral hazard has been known to affect people’s behavior in different areas of life: those with more comprehensive car insurance coverage tend to drive more aggressively, while those with high-quality health insurance tend to be less worried about prevention knowing that they will be taken care of if something were to happen. In cyber security, we sometimes see companies acting negligently about security and not investing time and effort in cyber defense assuming that the insurance provider will compensate them in the event of a cyber breach.
To address the problem of moral hazard, insurance companies should be more explicit about the types of risks that are covered under the policy, and the level of due care expected from the policyholder’s side for the coverage to remain active. It is worth noting that today, it’s very hard to eliminate coverage in a policy based on operations due to regulatory scrutiny (it is much easier to address at renewal by increasing the policy rate).
Looking for parallels in other insurance lines
To imagine what directions cyber insurance can develop in, it helps to think conceptually about how cyber compares to other types of events.
Insurance tends to cover the risk of well-scoped single events and avoid (exclude) those that are highly correlated and can lead to catastrophic losses. For example, because it can confidently underwrite the probability of theft in a given geography, and cap the maximum loss with policy limit, theft insurance is a common component of home and tenant coverage.
The situation with the insurance policies for terrorism is much more complex: before 9/11, terrorism coverage was typically included as a part of general insurance coverage at no extra cost to the insureds. After the attacks, many insurance companies started excluding it entirely, and those that didn’t, ended up increasing premiums so much that it became prohibitively expensive. In response to that, the U.S. Congress in 2022 passed the Terrorism Risk Insurance Act (TRIA), which has since been renewed four times: 2005, 2007, 2015, and 2019. This federal program enables the US government to share monetary losses to commercial policyholders with insurance companies (up to $100 billion), making it possible for businesses to purchase terrorism coverage. Without government support, likely, we would not have had many providers willing to insure this type of risk. The government could take a similar approach to cyber insurance as well, and we have already seen proposals suggesting exactly that.
When it comes to damages caused by “war,” “warlike,” or “hostile” activities, these are typically excluded from insurance policies.
Going back to cyber insurance coverage, until recently, there was little to no distinction between different types of attacks and the losses associated with them. That started to change in 2022, when, as mentioned previously, Lloyd's of London, the oldest insurance company in the world, decided to start excluding war and warlike cyber events as well. Although I think it does make sense to treat hostile actions of nation-states in cyberspace the way we do other acts of war and the state actor component of exposure is likely to become part of TRIA soon, there are challenges of attribution unique to the cyber domain. Not only it is often not possible to confidently say where the specific attack has originated, but it is especially hard to categorize cyber assaults by the adversaries operating as criminal groups with express permission (or orders) from their governments, such as those known Russia and North Korea.
While cyber insurance is a new product, the fundamental challenges it presents are not new. Kidnap and ransom insurance, in many forms similar to cyber ransomware coverage, undoubtedly has some lessons learned for insurers. The fact that healthy people with no pre-existing conditions tend to delay or avoid purchasing health coverage already leads to situations when insurance is predominantly provided to high-risk individuals, with a high potential for medical expenses, making it hard for insurance providers to balance risk while keeping policies affordable. Cyber insurance, while in some ways unique, shares many similarities with other lines of business. This makes it possible for the industry to tap into the lessons learned accumulated from hundreds of years of experience providing services across the globe.
Bundling cyber insurance with services
I have previously written a dedicated piece about a business model that bridges cybersecurity and cyber insurance - fully-integrated cyber solutions such as Coalition and BOXX Insurance. It’s a big shift where the same company offers both security services (managed firewalls, monitoring, reporting, incident response, and others), and cyber insurance.
This model is yet to prove itself in cybersecurity, but it isn’t entirely new in the world of insurance. During the industrial revolution, the adoption of boilers was causing catastrophic explosions that lead to the loss of life and severe property damage. This is when the Hartford Steam Boiler Insurance and Inspection Company decided to step in. According to Wikipedia, “In 1919, the Hartford Steam Boiler Insurance and Inspection Company got tired of paying the claims on all those broken boilers, so they came up with the idea of this special piping configuration and mandated it for anyone who wanted insurance on their steam boiler. Before long, everyone was calling it the Hartford (or Underwriters) Loop. The Loop had a very positive impact on the industry, according to the records of boiler failures before and after 1919.”
The government plays an important role in establishing a baseline level of security, but it cannot keep up with the pace of cybersecurity innovation, and even if it did - the laws and regulations cannot codify all cyber defenses, and there are no resources to enforce compliance. The market, and the insurance industry as one of the most impactful market makers, have the potential to help close the gaps and shape the future of security.
No one insurance company can do it on its own; I think we have come to the pace where there needs to be an industry-wide initiative with the goal of studying the problem, finding ways to understand the risk and its components, and educating the next generation of cybersecurity actuaries and underwriters. This is already starting to happen - a few weeks ago, Liberty Mutual launched a global cyber office; other insurance companies are likely to follow. Insurance has the opportunity to take the best practices known to substantially reduce cyber risks, and create a set of standards that any business looking for cyber coverage would need to adhere to. Doing so will not only enable insurance providers to improve their profit margins but also will force the adoption of best security practices.
We are collecting more and more data about cyber losses, and while for now, most carriers use their own proprietary data models to analyze it, I would anticipate that in the years to come, that can be aggregated at the reinsurer level, leading to the ability to better underwrite reinsurance, and with that - a growth in cyber insurance offerings as well. Better data aggregation will lead to better modeling, and subsequently - continuous underwriting, where changes to the organization’s security posture will be instantly reflected in its risk score and insurance premiums.
Too many companies are acting negligently when it comes to their security, naively believing that cyber insurance is to take care of risks and keep them safe. If a drunk driver was going at 300 miles per hour without a driver's license and wearing a seatbelt - no insurance company would take the responsibility for the consequences of their actions if they were to simply fill out a form claiming they are eligible for good coverage. I think in the years to come, I think we will see insurance providers starting to hold policyholders accountable for the risks they control and could have reasonably prevented. Insurance will be seen as a fallback plan that kicks in when the company suffers a loss due to risks outside of its control - new types of vulnerabilities, threats coming from suppliers and third parties, and so on. This, in turn, will lead to the growth of service providers catering to SMBs that are presently underserved.
The insurance industry has the opportunity to help security teams make the world more secure, and I am cautiously optimistic that it can successfully seize this opportunity.
Insurance companies will either stop offering cyber insurance or they will continually offer cyber insurance with lower limits of coverage and tighter terms, conditions, and restrictions.
Insurance carriers do not have a mandate to offer coverage for cyber risks regardless of how many people or businesses continue to need cyber insurance. Insurance carriers do have a fiduciary responsibility to generate profit from whatever coverage they sell whether for cyber risks or other risks. Profit being defined as combined ratios under 100%.
Eventually, which may be sooner than later, the Federal Government will need to provide the financial backstop for companies that have been cyber-attacked.
Always keep in mind that just because a risk exists never means that insurers must provide coverage for the risk.
It’s never a matter of morality or ethics. It is always a matter of carriers generating profit.