Iain McLaren/Why cyber insurance is becoming like health insurance

Created Mon, 12 Aug 2024 00:00:00 +0000 Modified Mon, 12 Aug 2024 00:00:00 +0000
1641 Words

Cyber insurers may increasingly influence how organisations run their technology systems

The health insurance industry has a significant influence on how health care is provided. Similarly, cyber insurers may increasingly influence how organisations run their technology systems and secure their data.

Data breaches are still relatively rare

A whole industry has recently been built around mitigating and managing the risk of data breaches.

There used to be much less of a focus on cyber insurance and the risk of data breaches. Data breaches were rare, and the insurance premiums and payouts were relatively low. Contracts that customers signed with suppliers also reflected this. For example, customers strongly resisted including any liability cap limits for confidentiality and data breaches in their contracts with these suppliers.

That being said, data breaches are still relatively rare. A data breach is a classic low probability high impact risk.

Large organisations often default to storing as much information as possible

Before data breaches became more common, there was no real downside to organisations storing as much information as possible.

Even if organisations cannot think of a use for the data that they currently store, they know that they might come up with a profitable use-case in the future. Particularly as machine learning models are improved by using large quantities of useful data.

Historically, there was relatively little incentive for organisations to limit the amount of data that they store, or spend a lot of time and money on security

There is still a strong push within organisations to retain as much data as possible. For example, organisations are starting to recognise that applying machine learning models to their large data stores can lead to profitable results.

For the individuals who work in organisations, there is often little real incentive to limit the amount of data that they store on behalf of these organisation. Even if there is a data breach, the focus of organisations is often on increasing security as opposed to limiting the data that they store.

Speaking of day-to-day incentives, in large organisations, the security team that responsible for preventing data breaches is also often completely separate from the parts of the organisation that are responsible from profiting from large troves of data.

With the best will in the world, it is also unlikely that data breach prevention will ever be the top priority of boards and CEOs. Data breaches are low probability but high impact risks, and it is probably not realistic to expect that boards of most organisation will be stacked with directors with strong technology experience and expertise who understand how to appropriately manage these risks.

However, customers are quickly learning that their data stores can be toxic

However, customers are quickly learning that their data stores can be toxic.

For example, the European Union led the way with the General Data Protection Regulation (GDPR) by imposing enormous fines, linked to percentages of revenue, on organisations that do not appropriately store and use personal information.

Australia has followed suit with similarly large penalties under the Privacy Act 1988 (Cth).

As a result, cyber insurance is becoming prohibitively expensive

Put simply, all insurers calculate the probability of a potential payout and the amount of the potential payout and charge their clients accordingly.

When there were no cyber insurance payouts, or relatively low payouts, the cyber insurance premiums were also low. Cyber insurance payouts are still relatively rare, but insurance premiums have become prohibitively expensive as data breaches have become more common and the potential payouts larger.

Short of government intervention, the only way to reduce cyber insurance premiums is to reduce the risk to cyber insurers

To date, most commentary in relation to cyber insurance seems to be based on the assumption that the risk of data breaches cannot be reduced in a meaningful way. The assumption is that organisations will generally just continue to run their technology systems without any meaningful external controls, limitations, or mandatory risk mitigation strategies.

To give Australian Governments credit, there is a clear legislative focus on ensuring that the technology systems of critical organisations such as banks and other APRA regulated industries, hospitals, and other critical infrastructure, are run in a secure way. However, this has not stopped data breaches from occurring. There is only so much that governments can do to change the behaviour of organisations when the actions of the organisations are not directly driven by financial incentives.

Like with health insurance, the only way to reduce the risk to cyber insurers is to reduce the probability and/or amount of the payouts

Short of government intervention, there are two ways that cyber insurance payouts can be reduced:

  • offer toothless insurance; or
  • impose security obligations on organisations in exchange for discounted insurance.

Option 1: Like with health insurance, offer ’toothless’ insurance

Cyber insurers are willing to offer ’toothless’ insurance. Premiums could be reduced if the insurers don’t cover the largest expenses like fines, customer payouts, or company security remediation costs.

This is like buying the cheapest Australian health insurance that only covers inexpensive ’extras’ but doesn’t cover potentially huge expenses like the cost of extended private hospital stays.

However, large organisations have increasingly become wise to this risk. They have dedicated internal insurance teams who ensure that their organisation buys ‘real’ insurance to cover the cost of the real risks to organisations if there is a data breach.

Option 2: Like with health insurance, impose risk mitigation obligations on organisations in exchange for discounted insurance

The other option is for insurers to impose risk mitigation (i.e. security) obligations on organisations in exchange for reduced premiums.

Health insurers have already travelled down this path. To manage risk and premiums, health insurers work within a very complex regulatory regime and are deeply embedded in how hospitals and other health care providers provide services to patients.

On the other hand, traditionally cyber insurers have not had any real input in relation to how insured organisations run their technology systems, protect their data, and manage risk.

Cyber insurers often have relationships with security experts who step-in, as part of the insurance payout, to assist when data breaches occur. However, only stepping in after the data breach occurs is a deeply reactive response. Stepping in afterwards can mitigate the result of a breach to a certain extent, but only treats the symptoms of the breach rather than the underlying cause, which can be having insecure systems or otherwise not appropriately managing these risks.

Without treating the cause of the problem, organisations may still incur significant costs even if the best security team in the world is dropped in to help after the breach has occurred.

The problem of scale: What should cyber insurers require organisations to do?

This is a problem of scale. Even if they wanted to, there is probably no way that cyber insurers can actively manage or monitor the technology operations of all of the organisations that they insure. Which leaves cyber insurers with two options in exchange for discounted premiums:

  • impose security standards on organisations; and/or
  • stop most organisations from running their own technology systems.

Option 1: Impose security standards on organisations

There are a number of internationally recognised security standards that insurers could impose on organisations.

For example, in Australia, most of the security obligations that regulators impose on banks, hospitals, infrastructure providers, and other critical industries are based on the internationally recognised ISO 27001 security standard. Organisations can even be independently certified as being ISO 27001 compliant. However, for most smaller organisations, cyber insurers are unlikely to be able to push for such formal compliance because requiring such compliance will be too expensive and time consuming for the organisation relative to the risk of a data breach occurring.

Option 2: Charge a risk premium if organisations run their own technology systems

The second option is simpler. Only provide cheaper cyber insurance premiums to organisations that do not run their own technology systems.

This trend has already started in schools that issue their students, or require students to buy, iPads, Chromebooks, and other locked down devices. These schools effectively outsource managing security to the device manufacturers and service providers that run software in the cloud.

The reality is that very few organisations need to create or even run their own software. Most organisations just use the Microsoft office suite including Office 365 for document management and email, and standard finance and HR systems. Now that we have (relatively) cheap and fast internet access, all of this software can be run better, and more securely, by third parties in the cloud.

Even for large organisations, using Office 365 instead of running their own email systems is now the norm, as is organisations using global hosting providers such as Google Cloud Platform, Microsoft Azure, and Amazon Web Services instead of running their own data centers.

To get reasonably priced cyber insurance, eventually most customers may not run their own technology systems

The trend seems to be that most organisations may eventually come to the conclusion that it is too risky to run their own technology systems, particularly if insurers effectively charge organisations a premium to do so.

Most organisations may come to the conclusion that it is safer and cheaper to rely on global technology organisations (like Microsoft) to operate and manage technology services that most large organisations use (like email) rather than than running these technology systems themselves.

To manage risk and limit premiums, cyber insurance may increasingly become like health insurance

This is similar to what happened with health insurance. To manage risk and limit premiums, the health insurance industry now has a significant influence on how health care is provided.

Cyber insurers may soon have a similar influence on organisations particularly if organisations continue to insist on running their own technology systems. This may increase the stampede of large organisations following the crowd and outsourcing to global technology organisations that run software in the cloud.