What is insurable risk? That’s the key question being explored by international insurance industry think tank, Geneva Association, is a new report on the cyber insurance market.
There are many challenges to insuring cyber risk, the report states, “especially due to a lack of data and modelling approaches, the risk of change, and incalculable accumulation risks.” Additional challenges to insuring cyber risk include information asymmetry, resulting in adverse selection and moral hazards, and coverage limits in the market.
According to a recent CyberScoop article, a lack of actuarial data could have profound consequences after Fitch’s recent warning that it will downgrade credit ratings of “insurance companies that write standalone cyber policies too aggressively, because of the high uncertainty this line of business contains.”
Fortunately, the future is looking bright for the cyber market in the insurance industry and governments have many opportunities to promote it. As the market grows, risk pools become larger and more data will become available. Additionally, increased capacity and more competition will inevitably push prices down and result in more uniform terminology, standardization and pre-coverage risk assessment. The report also recommended that industry and governments collaborate on public-private partnerships when collecting data for cyber incident repositories. Lastly, many experts believe that pre-coverage screening and reporting requirements could alleviate adverse selection effects.
Deputy Secretary General of the Geneva Association and editor of the report, Dr. Fabian Sommerrock commented, “We are very pleased to publish this report which provides an insight into the current level of understanding about cyber risk and cyber risk insurance …This report has been provided to increase understanding of the risk and support the insurance industry’s role in mitigating and managing it for the benefit of individuals, institutions and governments alike.”
The NAIC’s cybersecurity task force released its third and final draft of the NAIC cybersecurity model law in August, which was hoped to be considered for approval. However, “stakeholder feedback made it clear that additional work needed to be done to reach consensus on the draft,” according to Rhode Island Superintendent of Banking and Insurance Elizabeth Dwyer, a member of the task force.
With General John Kelly appointed as Secretary of Homeland Security, Trump’s administration promises to put border security as its top priority. This means that other priorities, especially cybersecurity, could take a back seat at DHS. Current Secretary Jeh Johnson warns the new administration against losing focus on cybersecurity and calls for it to continue as “a top priority on a bipartisan basis.”
Cyence, an economic risk modeling platform for cyber risk, debuted its product last September and since then, has received much attention in the insurance industry. Carrier Management Editor Mark Hollmer had the opportunity to sit down with Cyence Co-Founder and CEO Arvind Parthasarathi to discuss how their cyber analytics platform will allow the insurance industry to look at cyber risk in an entirely new way – in “dollars and probabilities.”
With cybercrime only increasing and traditional network security premiums becoming obsolete, the cyber insurance market is a huge, untapped opportunity for insurers and reinsurers. Mandatory legislation on cybersecurity in several U.S. states has led to more mature and better cyber liability insurance policies. PWC forecasts that annual gross of premiums will increase from $2.5 billion in 2015 to $14 billion by 2022.
The Presidential Commission on Enhancing National Cybersecurity issued a 100-page report with 16 urgent recommendations on ways that President-elect Trump can improve the nation’s cybersecurity, particularly in his first 100 days of office. Main points include creating a cyber nutritional label to help consumers shop wisely and establishing an international cybersecurity ambassador.
Blockchain offers a secure approach to storing sensitive information and performing functions, suitable for exposed environments that demand high cybersecurity. Its use of sequential hashing, cryptography and decentralized structure, which all took decades of research and refining, make it virtually impossible for any outside party to “unilaterally alter data on the ledger.” Bitcoin was the first application of blockchain, launching in 2009.
The National Institute of Standards and Technology (NIST) has released a set of guidelines “aimed at helping researchers better understand the Internet of Things (IoT) and its security challenges.”
After more than seven months, Commission on Enhancing National Cybersecurity has finalized its report on the Cybersecurity National Action Plan (CNAP) and is submitting it to President Obama. The Commission, which consists of “top strategic, business and technical thinkers from outside of Government,” according to a recent Politico article, was established as part of Obama’s effort to enhance the nation’s cybersecurity posture. The report is expected to be available to the public soon.
Members of the Commission explained the report focuses largely on short-term recommendations, with “market-based solutions rather than government regulations,” such as incentives and voluntary standards. The objective of CNAP is to enhance the nation’s long-term cybersecurity structure in both the public and private spheres. However, Kiersten Todt, executive director of the Commission explained that “the urgency of these issues is now. So what we hope is that many of these recommendations will be able to be executed.”
It is unclear how President-elect Donald Trump will handle the executive order and the Commission’s recommendations in the report, but the Commission has stated that a nonpartisan approach has been a key focus. Experts on the matter said that the nonpartisan nature of the executive order could give Trump a “rare opportunity to build on the work of President Obama.” Stanford University cyber researcher and Commission member, Herb Lin, also explained that “the political environment is very different now than it was before the election,” and that the Commission was “very scrupulous about not compromising the nonpartisan nature of the report.” The Commission consists of both Republican and Democratic representatives.
Trump has emphasized the need for the incoming administration to take a strong stance on hackers while simultaneously building out offensive cyber capabilities. The President-elect has vowed to create a “cyber review team” and change the nation’s stance on cybersecurity in the first 100 days of office, meaning he may choose to start fresh with his own agenda instead of building on that of Obama’s.
Inside the beltway and around the nation this week there has been zero escape from prognostications on what a Trump administration means for every issue imaginable. So, we’ll pile on…what about cyber? Well, we, at The Council, expect cybersecurity to be a significant issue. That statement seems obvious but the Republican platform actually includes a section advocating for “a free market for cyber insurance and makes clear that users have a self-defense right to deal with hackers as they see fit.” While the latter part has many nervous, we could see cybersecurity (and insurance) garner more oxygen than expected in the first 100 days (especially given the highly publicized hackings ahead of the election). On the surface, the President-elect’s cybersecurity stance doesn’t seem to vary much from President Obama’s policies. However, his pro-national security and law enforcement approach to cybersecurity is different and Trump will have to delicately balance between business interests and national security.
As we look to our parochial areas of interest, we are well positioned to effectively represent Council members as things heat up on the hill in 2017. Sen. John Thune is a major cyber player as chairman of the Senate Commerce Committee and we look forward to continuing to work with him on issues stemming from critical infrastructure cybersecurity. The Council supports a single standard for breach notification, and we believe good legislative opportunities will develop there. Lots to unfold so stay tuned. We will skip next week because of the holiday but will be back after. On behalf of The Council, we wish everyone a wonderful Thanksgiving.