Regulatory/Law
Seeing Signals

• Howard Mills
• January 2019
• 

The actor playing Fifth Officer Harold Lowe in James Cameron's movie “Titanic,” says, “We waited too long,” when he sees a woman holding her baby—both frozen to death in the icy water.

We all know why the Titanic sank—it hit an iceberg—but why the most technologically advanced passenger vessel of the time really sank is still a question with no clear answer. Whatever the reason, the “unsinkable” ship that was the symbol of its era's technological prowess collided with a natural hazard that probably should have been expected and now survives primarily as a symbol of hubris.

Today's technology is not so easily isolated. Our best technological accomplishments these days tend to make use of network effects.

Whether it be a social network or autonomous vehicles or the internet of things, technology for good or for ill links almost all of us. Management of the attendant risks grows even more important as technology becomes more central to our lives.

Insurance is about risk management. As cybersecurity becomes more necessary for personal and economic security, the insurance industry has a significant role to play.

The recent EU-U.S. Insurance Project meeting in Luxembourg began with a lively discussion on cyberrisk and cyber insurance. In many ways, the irony is intense. Insurance is known for looking back and learning from the past.

The tech world seems more interested in looking to the future, far less concerned about the lessons to be drawn from past successes or failures. And, like youngsters everywhere too eager to rush into the breach, tech could benefit from the steady hand of its elder insurance sibling. Insurance is positioned to facilitate a future where cyber is a positive force for development.

Getting there will not be easy. There are more questions still to be answered about cyberrisk than about the Titanic's sinking.

After praising cyber insurance at the EU-U.S. meeting as a necessary, even great product, Eric Cioppa, president of the National Association of Insurance Commissioners, asked one of the most fundamental questions: “What's a catastrophic loss going to look like?”

Do you ever wonder who will cover the cost if your autonomous vehicle gets hacked by some bored teenage genius neighbor? Is it your insurance? Your neighbor's? The manufacturer's? The software writer's? What if the whole grid gets hacked? Probably the only thing we can be sure of is that some insurance company somewhere will be the one making society whole.

Risk signaling is as important a function for insurance as any. The industry's abilities to measure and price risk helps create the necessary safe harbor for progress.

The work done and being done by industry and by regulators to ensure we can manage our own cyberrisks helps allow us to provide the expertise to others to manage theirs. One result of cyberrisk regulation is an enhanced ability to offer cyber insurance.

That offering is only half the solution, however. As was noted at the EU-U.S. meeting, the below-the-waterline issue is that the take-up rate for cyberrisk insurance remains low, especially among small- to medium-size businesses. That needs addressing.

And we can't wait too long.