Companies must share details of their cybersecurity programs with insurers to help build a defense against looming cyberattacks.
- Scott Stephenson
- July 2018
Insight into the threats—coupled with a more candid recognition of our vulnerabilities—will lead to sharper defenses.
In the world of cybersecurity, Franklin Delano Roosevelt’s well-known admonition—there’s nothing to fear but fear itself—today seems prescient. Fear may be a great motivator, but it doesn’t often lead to sound business decisions.
Not very long ago, business leaders were more likely to fret over fires and floods than unseen threats to data security. In that predigital age, coverage of physical property appeared to take precedence over concerns about damage to reputation, operations and intellectual capital.
Yet fear and ignorance have become common obstacles to stronger cybersecurity. Many companies aren’t comfortable sharing full details of cybersecurity programs—likely thinking they may not be doing enough. Compounding that problem, they may not fully understand their specific assets and vulnerabilities. Without a synthesis of both these factors, an underwriter would be hard-pressed to make an informed decision.
While many companies may be responsible data stewards, pressures to monetize valuable or sensitive information make some of them reluctant to become more transparent about how they use data. They are justifiably concerned about being called out for what they may be doing or even for false reports of a breach in security.
Underwriters need to aggregate data about insureds to better understand their total risk portfolio. Critical information includes where insureds sit in the world (in terms of geography and the economy), types of data held and a detailed profile of supply chains. Cloud storage of this data cascade can bring its own risks, although cloud-based tools are becoming available that can help insurers and companies understand their data’s potential vulnerabilities.
What defensive measures should a company take? Beyond recognizing the relevance of cyber policies, companies can pursue a range of internal options to help “harden their shell.” Through targeted training of employees, use of cybersecurity software, and response simulations, businesses are preparing to combat cybercrime and its potential multibillion-dollar onslaught. Such measures can be instrumental in improving an organization’s defenses and reducing the fear factor in engaging with insurers.
The broad trend in cyber coverage is clearly for growth. Written premium for commercial cyber liability could reach $6.2 billion by 2020, according a Verisk estimate, rising from roughly $2.5 billion recorded in 2016. So why do some companies continue to downplay cyber policies? And what can be done to better inform those businesses about cyber’s unanticipated risks?
Up to now, the biggest threat for companies and their insurers was a one-off data breach. Issues looming today are business interruption and contingent business interruption. While some insurers may be prepared to handle a one-time data event (by offering relatively low limits, for example), they may not be prepared for large events and their costly consequences.
More attacks are expected and, almost inevitably, more breaches. Given the stakes, with most industries worldwide relying on data and IT to remain competitive, cyber insurance should become a business imperative. Insight into the threats—coupled with a more candid recognition of our vulnerabilities—will lead to sharper defenses.
(Best’s Review columnist Scott G. Stephenson is chief executive officer of Verisk Analytics. He can be reached at firstname.lastname@example.org.)