Right now, there’s a "gold rush" going on among insurers to cash in on the now very high margins being reported in cyber insurance.
At the same time, industry observers admit that cyber underwriting is still far less sophisticated than that for other P&C lines.
Insurers themselves realize they aren’t sure whether their premiums are too high or too low for the risks they currently cover, and companies looking for insurance against the inevitable hack are at a standstill because they just don’t understand how their level of risk impacts their policy options. At the top of it all, executives and boards of directors are worried they won’t be protected when determining liability in the event of a breach — and they should be.
Cyber insurance begins with a more complete understanding of cybersecurity defense. Breaches and attacks are now akin to hurricanes, becoming so frequent they are being named and wreaking a digital equivalent of damage. Recognizing this imminent and growing threat, the federal government has initiated two heavyweight resources for better cybersecurity defense — both of which should be considered by cyber insurers in their policy premium development given their consistency and effectiveness.
In May, the president released an executive order requiring all federal agencies to assess their maturity based upon the NIST Cybersecurity Framework (CSF), the first of the government’s helpful cybersecurity resources. This mandate requires agencies to report gaps and improvement plans to the Office of Management and Budgets this year, and will make the NIST CSF the most adopted framework to assess cyber maturity in cyber history — another case for its use by cyber insurers to require insured companies to assess their cybersecurity risk maturity.
The NIST CSF is the perfect assessment and measurement tool for federal agencies is as it comprehensively defines high-level policies and procedures to instill oversight requirements for cyber maturity and resiliency. While this framework is considered the gold standard, it is in use today by only 30% of commercial businesses — not nearly enough to warrant consistency or effectiveness in nationwide cyber defense.
With the NIST CSF becoming the dominant cyber framework in both commercial and government systems, the collection and sharing of data can become robust enough to create technologies that anticipate attacks, and perhaps even the likely attacker. Insurers must take compliance with and maintenance of these NIST CSF controls seriously to understand the true cybersecurity posture of an organization looking for insurance against the inevitable breach. From there, more accurate pictures of 360-degree risk measurement can be evaluated when drawing up premiums and policies for companies.
The government's second major cyber defense initiative, and perhaps the single most important move the U.S. has made toward greater cyber maturity to-date, is the Department of Homeland Security’s (DHS) SAFETY Act. In addition to the Department’s active promotion of information sharing organizations (ISAO's) that foster the building of significant data sets based on the NIST CSF, the SAFETY Act is a 2004 law that grants substantial liability limitations to companies using the NIST CSF as their cyber maturity model for oversight and executive involvement in cyber policy and procedures.
In some cases, companies that adopt the NIST CSF framework can receive nearly total immunity from third-party actions in the event of a breach. This protection for officers and directors of commercial companies will entice many more enterprises to adopt the NIST CSF as a bulwark for defense. Not only does this safeguard potentially result in hundreds of millions of dollars in savings to a company, but it also could be classified as the most important action the industry has ever seen to work together to protect the economy of the United States from criminals and nation states.
To the organizations that currently enjoy cyber insurance — you are a step ahead of the 50% of U.S. firms who don’t, and the 27% with no plans to buy it in the near future. While policy options need work, companies without an appropriate layer of asset protection are leaving the door open to millions of dollars’ worth of uninsured damage — costs that will likely fall on executives and boards of directors. Cyber attacks are not an “if” anymore, but a "when." We’ll see a wave of enhanced standalone cyber insurance policies in the future, but it’s time to begin understanding the risk your enterprise faces (internally and externally) and weighing options for a more secure cyber existence.
Michael Shultz is the CEO of Cybernance. The opinions expressed here are his own. To reach this writer, send email to email@example.com.