Effective cyber insurers understand that tech-enabled underwriting can wipe away years of cybersecurity risk instantly, placing the risk management component and cyber insurance preparedness front and center. (Photo: Song_about_summer/Adobe Stock)
If you bring up cyber insurance among industry professionals today, you're likely to be thrown into a debate about the most extreme types of big-picture catastrophes. You'll also be guided to a commentary on the vastness of cyberspace and the Hollywood threats it poses (yes, insurance people can be creative, too).
Businesses might be paying more attention to cybersecurity, but many still fail to adopt basic cybersecurity hygiene best practices to improve their risk profile and change their employees' behavior regarding passwords, the use of professional computers for personal needs, and much more. This could be directly extended to consumer behavior given that individuals are most likely to carry the same behavior for the security of their personal assets as for their professional lives.
All cybersecurity exposures — professional and personal — contribute to the overall risk of the broader system.
What is so peculiar about this laissez-faire attitude, which seems to have become more prevalent as of late, is that no landscape of risk has ever been more dependent on the practices of the individual participants, nor does there appear to be a macro level invisible hand that guides them toward cybersecurity. Relegating the microeconomics of cyber to the backchannels does a disservice to small businesses and individual risks of cyberspace. Worse yet, it fails to recognize the untapped potential that small businesses and individual-level cyber measures possess in reducing the broader systemic risk component.
Awareness is not enough
This is largely because the coverage gap for cyber is less about insurance than the industry would like to think. Standardization and systematic adoption of cybersecurity hygiene is still lacking, more so in the small and medium-sized (SME) business segment than in large organizations.
Awareness of cyber risk and cyber exposures has been significantly improved following the waves of ransomware attacks in past years, but not yet to a level that leads to sufficient action. A 2019 poll conducted for the NCSC revealed that while 80% of people agreed that cybersecurity was a priority. However, only 15% of people felt that they knew how to protect themselves, and 46% found information on how to be more secure confusing.
While awareness of the headline-grabbing potential of cyber risk may be on the rise, basic education as it pertains to cybersecurity is not.
It's a failing that exists primarily in the uninsured market: note uninsured, not uninsurable. Insurers are oftentimes the most significant force in educating prospects and policyholders on basic cybersecurity. The degree to which these risks can change is key to the market segment's appetite.
An uninsurable property will remain uninsurable until certain levels of construction code are met, at which point they may seek insurance protection. For cyber insurance shoppers, their risk profile can be improved instantly through a tech-enabled underwriting and purchasing process, wiping away years of cybersecurity risk instantly. This is especially true of small and medium-sized businesses, where the most significant risk is negligence and oversight. The most effective cyber insurers understand this, placing the risk management component and cyber insurance preparedness front and center.
It also means that the mere exercise of seeking insurance is significant, and more than the sum of its parts. An increase in market penetration to the SME cyber market pays dividends to the security of the overall cyber ecosystem. This is because every entity that is taught appropriate cyber hygiene is a break in the chain when it comes to cyber contagions and a reduction in aggregation potential for everyone. It is also what is most commonly missed in most discussions about the size of the aggregate cyber exposure: Every dollar of market coverage is insuring a diminishing amount of systemic risk.
So why does the size of the SME market in relation to the rest matter? Simply put, it is the market segment that has the most to gain from simple increases in cybersecurity and insurance penetration; the broader system of cyber risk also stands to lose the most by leaving it behind.
We are all better off with a larger SME cyber insurance market, where the insurers wear more cybersecurity hats than is typical. It also means that those who play in the SME segment have a unique opportunity to guide the digital transformation toward a more secure future.
In the world of cyber risk, there are no passengers; we are all crew.
Dan Palardy (daniel.palardy@cowbellcyber.ai) is lead actuary and head of Actuarial & Cat Modeling at Cowbell, which provides small and medium-sized enterprises (SMEs) coverage adaptable to current and future threats and advanced warning of cyber risk exposures.
These opinions are the author's own.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.