Beyond the practical reality that insurance policies do not translate well to security technology, both disciplines have different decision considerations, budgetary realities, and lines of authority. This reality makes risk management—security leader collaboration difficult to achieve. Competition is a good thing, but on occasion it can have adverse consequences, and the cyber insurance marketplace is a good example. At least seventy-five and perhaps more than one hundred insurers offer some form of cyber insurance, meaning that competition is strong and intense.
This dynamic is exacerbated by the various insurance brokerage firms that are keen to transact as much business as possible to drive revenue, and thus are complacent participants.
From a talent standpoint, insurance professionals in the property world often have legitimate engineering credentials and experience, whereas many cyber underwriters are barely into their professional careers. Security credentials would be preferred, but the universal competition for security talent means that most potential cybersecurity professionals seldom consider the insurance industry as a career path.
These factors, combined with the previously mentioned challenges, drive another critical reality: insurers and reinsurers are struggling to comprehend cyber-related aggregation risk arising from the interconnection of platforms and shared service providers, including in the cloud.http://nn.threadsol.com/131871-how-i-tracker.php
Rhode Island Corporate Cybersecurity Initiative
As discussed above, a number of accelerating trends contribute to the increasing potential for systemic and cascading impacts from cyber incidents. This makes it difficult for insurers to assess how cyber risks across different policyholders may correlate—creating the potential for aggregation risk. An insurer underwriting multiple such firms would face potentially massive losses from just one cyber incident.
The problem gets even worse when considering how malicious actors might leverage different kinds of systemic impacts in combination. Anticipating where and how such aggregation risks might emerge can be extremely difficult in part because they can arise from a range of sources: Reliance upon a single platform or service, common hardware or software products, common nodes in globalized supply chains, and interconnections throughout the ecosystem that allow cyber attacks to propagate, among others.
This concern over aggregation risk has in itself been a major driver behind the hesitancy of reinsurers to provide substantial reinsurance capacity for cyber—a hesitancy that inhibits the overall insurance market because primary insurers will constrain what they can offer without reinsurance support. This is a problem that can be solved by data and risk insight—the common thread running through all of the aforementioned challenges.
The cloud underwriting predicament explains the challenge well. The insurance industry is arguably undertaking such an endeavor on a daily basis, but these challenges create a reality whereby coordination of all underwriting and data insight is impossible. What would it look like for the insurance industry to operate at full potential regarding cyber risks? It may be easiest to answer that question by explaining an ideal ongoing insurance coverage relationship, whereby a policyholder maintains coverage with an insurer or syndicate of insurers over time.
The ideal underwriting model, therefore, is a dynamic database of risk management best practices and failure points. It involves financial and coverage incentives that vary based on industry insights. Certain best practices might come with premium reductions if they are adopted, or additional premium charges if they are not adopted. If a policyholder is advised to avoid or abandon certain risk management practices or technologies, insurers could then stipulate increased premium charges or policy exclusions to negate coverage if a loss or claim results from those practices or technologies that the policyholder was asked to avoid.
By the time the next policy renewal comes around—typical commercial insurance policies are purchased every year—the process will repeat, with up-to-date information and a refreshed set of suggestions. This approach may combine well with the pre- and post-event services offered by various insurers.
Property, maritime, and some other classes of risk largely operate in this fashion, where information exchange is the most valuable component of the transaction. Admittedly, most if not all classes of risk where this potential has been achieved have a much less dynamic risk environment than cyber.
Perhaps the ideal state for cyber insurance involves a frequent cadence of revisions, where interim underwriting check-ins happen every three months with a deeper dive annually. The key question, then, is how to unlock this potential for cyber and achieve a symbiotic relationship between insurers and policyholders? To address this question, the following points suggest a few practical solutions, mostly centered on trust and transparency, to drive more substantial information and data sharing.
The practical solutions offered above can begin to move the cyber insurance industry toward its ideal state. Yet sustained, coordinated action by both industry and governments, individually and together, is needed to help the insurance industry realize its full potential to shape the broader trajectory of the cyber risk landscape along the lines of the six core functions of insurance. Given its significant role in the cyber domain, the private sector should be the focal point for efforts to reshape this risk landscape.
Complementary efforts by governments and industry should therefore focus on reorienting the incentive structure shaping corporate behavior. This entails a holistic approach addressing both the factors shaping risk management practices and those shaping underlying risk exposure in the first place—decisions made across the full spectrum of business operations.
In other words, the focus should not just be on ad hoc cybersecurity solutions but on ways to comprehensively address the factors that increase or mitigate cyber risk exposure, from the supply chain to the end of the product life cycle. The following section describes what such an approach might look like, including individual and collective actions in the context of a broad agenda for government, insurance industry, and broader private sector efforts.
Please Consider Donating
Part of the problem is a lack of comprehension of how cyber risks cut across all aspects of business operations. Cyber risks are difficult to scrutinize, and the expertise and analytical potential of insurance is needed to improve their clarity. Doing so would enable existing market forces to drive risk management to more effectively shape cybersecurity practices.
As the insurance industry matures in its role and ability to engineer cyber risk, it can discern from the data those practices that increase exposure or create aggregation risks. Insurers can directly disincentivize such practices, or incentivize mitigation measures, through the cost of premiums and policy exclusions. But a more robust assessment of cyber risk should also inform clients, consumers, shareholders, and potential investors in order to create additional market incentives.
Informed by insurers, influential stakeholders including major holding corporations and credit-rating agencies could be nudged to factor cyber risk management more thoroughly into their assessments and determinations. Clearly, governments can, by themselves, make progress toward this objective. They have a range of tools at their disposal to directly regulate or indirectly prompt cybersecurity and risk management practices in the private sector that would, in turn, empower insurers. Further efforts to develop and promulgate voluntary standards, benchmarks, and metrics for cyber risk management have already proven beneficial to the private sector.
IN ADDITION TO READING ONLINE, THIS TITLE IS AVAILABLE IN THESE FORMATS:
These could include, for example, standards for cybersecurity practices, personnel training or certification, or cyber insurance coverage for procurement contracts. Likewise, the blacklisting by governments of products deemed compromised can have a powerful effect, dissuading others from buying them. Of course, many such activities are already being undertaken by governments, though often in an ad hoc manner. Cooperation between governments and the insurance industry can more deliberately and effectively shape broader market incentives, such as through enhanced Securities and Exchange Commission SEC requirements for disclosure of material cyber risks to publicly traded corporations.
This could improve transparency regarding cyber risk exposure and allow stakeholders to better differentiate among corporations based on their risk management practices. At a minimum, it would place pressure on companies to thoroughly assess cyber risk and pay attention to it at the highest levels of corporate leadership. Disclosures could include whether or not corporations have cyber insurance coverage that adequately accounts for potential impacts across multiple areas of business, and could nudge them toward standalone coverage when appropriate.
In turn, corporations may find it more palatable to signal effective cyber risk management by disclosing their insurance coverage than by disclosing sensitive information related to risk factors. Collectively, these market pressures could help counterbalance the incentives that drive risk exposure. They could rectify the inattention to cyber risk, which itself happens in part because major cyber incidents to date appear to have had only modest, temporary impacts on businesses. Those responsible are rarely held accountable, and the damage to stock value is often fleeting.
Even further, cyber insurance could play a role in making other mechanisms for motivating cybersecurity practices viable. This includes the potential for entities in roles that can critically impact wider risk exposure to face civil liability for failure to exercise reasonable diligence. The insurance industry can address legitimate concerns that liability would potentially stifle innovation. Insurers could partner with cybersecurity providers to help identify best practices in product and service development for example, penetration testing and threat modeling and cover liability if companies agree to follow these best practices.
Finally, collaboration will be essential to address potential systemic cyber risks. Insurers can help locate potential single points of failure and motivate steps to eliminate them and minimize the prospects for cascading effects from cyber incidents. For instance, the incorporation of diversity and redundancy into the design of products and services can improve the resilience of systems against widespread attacks. This is particularly relevant for cloud service providers, who are in a position both to harness the most powerful defensive measures—particularly through improvements in machine learning capabilities—and to undertake defense on behalf of less capable actors.
Given their increasing criticality, including for many government functions, cloud services may eventually be deemed of systemic importance. Insurers can further identify when and where systemic risks might merit direct government intervention and determine other areas where governance mechanisms such as civil liability could be sufficient. Improved assessment of and familiarity with cyber risk exposure, particularly among stakeholders that have direct financial levers to shape corporate behavior, should help differentiate corporations that have effective risk management from those that are overly complacent.
- Biblical Itinerary: In Search of Method, Form and Content. Essays in Honor of George W. Coats.
- The changing landscape of disinformation and cybersecurity threats: A recap from Verify 12222?
- Cybersecurity policy in the UK.
- Parish Nurse: Providing a Minister of Health for Your Congregation.
- National Cyber Security Action Plan ().
- Ministerial foreword.
- Our Faculty.
Beyond simply identifying effective risk management practices, insurers can work with governments and cybersecurity providers to develop and promote cybersecurity innovations. Governments and the insurance industry can foster efforts within the private sector and through public-private partnerships to build cybersecurity capacity, improve information sharing on threats and best practices, explore innovative technologies and approaches for more effective cyber defense, and develop common standards and metrics for cybersecurity.
Government action to remove remaining barriers to collaboration such as concerns regarding antitrust infringements could generate momentum behind such efforts. More ambitious efforts might include national or international industry initiatives, which could help clarify baseline expectations for cybersecurity and create further incentives, such as reputational benefits.
Insurers could provide critical support for these efforts by motivating policyholders to contract for cybersecurity services that meet formal or informal standards of professional practice, such as certification of operators and capabilities or membership in a corporate social responsibility initiative. The development of common standards and metrics would, in turn, provide the insurance industry with more effective benchmarks for cybersecurity practices.
The cumulative impact would be to promote the professionalization of cybersecurity services—establishing indicators and baselines to help assess providers, reducing the likelihood that basic cybersecurity box-checking alone would create a false sense of security. Most importantly, for corporations to be able to effectively channel cyber risk to insurers, cyber risk itself has to be profitable for the insurance industry. This necessitates some degree of insulation from potentially catastrophic losses from cyber incidents.
Here, governments can provide a backstop for insurers, as has been done for similarly intractable risks like terrorism. Although TRIA was extended to cover losses from cyber terrorism for standalone cyber insurance policies, significant ambiguity remains as to the thresholds that trigger coverage.
- Search and menus?
- Cyber risk management in consumer business | Deloitte Insights!
- Full text of "Global Initiatives To Secure Cyberspace An Emerging Landscape".
- Welcome back?
- Careers in Criminology (Careers in… Series).
Such backstops would need preconditions, such as requirements that participating insurers provide appropriate underwriting acumen. Such programs would be designed to sunset after a specified time, or after insurers have built up reserve capital to sustain the offerings on their own. This paper has focused largely on how governments and insurance can shape the incentive structure for corporations to manage cyber risk.
But such efforts can only go so far without addressing the essential role of intrinsic norms and standards for those companies occupying critical nodes of the ICT and ICS supply chains. Given the widespread reliance upon their products and services, a failure on the part of these companies to exercise due diligence in their development and management has significant potential to generate systemic cyber risks. These, in turn, contribute to potential aggregation risks that become an inescapable concern for insurers and, equally, reinsurers, placing a ceiling on their appetite for cyber risk.
Thus, the very stability of the ecosystem to some extent hinges upon trust in these vendors and their products. ICT and ICS vendors must therefore bear some responsibility for ensuring the integrity of their products throughout their life cycles, commensurate with their role in shaping the broader risk landscape.
This obligation calls for commitments by vendors to undertake certain obligations regarding their products as well as specific measures and metrics to enhance broader confidence in such commitments. For instance, vendors can implement measures to verify chains of custody and ensure the traceability of components and products throughout the supply chain that allow discovered vulnerabilities to be tracked back to their point of origin. Further, deep collaboration between these vendors and insurers toward implementing such measures can give the latter concrete metrics for gauging risk exposure and mitigation.
Nowhere is this more essential than with respect to cloud services, given the market concentration and dependence upon such services. Cyber risk presents a multifaceted challenge demanding action by governments, corporations, and the insurance industry alike. Sporadic and ad hoc attempts to address the problem thus far have failed to keep pace with its growing scope and severity.
Meanwhile, the predicament of the private sector appears likely to continue to deepen. This paper has explored the unique contribution that cyber insurance, alongside and synergistic with other mechanisms, can make to a broader, strategic approach to this problem.
In its ideal state, the insurance industry can begin to reverse the underlying trends driving the cyber risk challenge. At the root of this deteriorating landscape is a perverse incentive structure for many industries that fuels risk exposure. Poorly designed or insecure features and connections, for instance, may expand the cyber attack surface in unpredictable ways. For example, if numerous utility companies were to collectively rely upon a single cloud-based platform for critical infrastructure operations, they may unwittingly create a single point of failure with potential broader consequences for public safety and national security.
Yet decisions that are instrumental in shaping the risk environment often are driven by commercial imperatives that militate against a more cautious approach to features and innovations that may increase risk exposure. The continuous expansion of the cyber attack surface and the high payoff of attacks contribute to the favorable calculus for malicious actors—including criminals, terrorists, and nation-state hackers—which also has broader implications for stability.
Preventing such exposure and enhancing resilience would both reduce risk and limit the potential for an international crisis to which governments would have to react. For these reasons, unlocking the full potential of the insurance industry is increasingly imperative not only for the private sector but also for governments struggling to assess when and where corporate cyber risks rise to the level of national concerns.
At the same time, cyber risk needs to be a profitable endeavor for insurers, and this demands government action to both empower insurers and place an upper ceiling on the potential consequences of cyber risk. This mutual dependency necessitates a long-term, strategic approach toward progressively expanding the role of insurance. Governments, corporations, and the insurance industry can begin to tackle individual slices of this broader agenda separately. The insurance industry can evolve to implement the practical steps discussed above, improve the dialogue between insurers, and policyholders and increase the comprehensiveness, depth, and transparency of the underwriting process.
Governments, by themselves and in collaboration with others, can gradually to raise baseline cybersecurity expectations and requirements. For instance, they can set requirements in their own procurement and certification processes that would inspire broader, structural shifts in the market. Other efforts require a degree of reciprocity among governments, insurers, and key industry stakeholders. Otherwise, disjointed attempts to nudge the private sector in one direction or the other could prove counterproductive.
For instance, enhancing cyber risk disclosure requirements without a means to signal effective cyber risk management might inadvertently punish corporations for accurately conveying the extent of their risk exposure. Similarly, commitments by corporations to ensure the integrity of products and services should be met with governmental efforts to complement and reinforce these. Finally, some of the most ambitious efforts require sustained collaboration and a careful balancing of public and private interests.
This includes creating government backstops for catastrophic cyber risk, which should only be done in close partnership with industry to properly scope and condition such coverage. Likewise, options for liability for failure to exercise due diligence in the development or provision of products and services necessitate careful consideration by governments and industry stakeholders. The capacity and willingness of insurers to underwrite such risks and minimize the potential impacts of liability on innovation are essential to assess before such steps should be taken.
You are here
This policy agenda, therefore, calls for a sustained partnership among these stakeholders and platforms to harmonize their approaches. Disinterested parties such as those in the nonprofit sector can provide neutral platforms to resolve the potentially diverging interests of stakeholders and communities. This is particularly necessary for cases like cyber risk where business interests and broader law enforcement, economic, and national security imperatives may clash—and even more so when the key stakeholders are globally dispersed.
Title: Property crime Author s : Grabosky, Peter. Title: Book review: Insider attack and cyber security: beyond the hacker advances in information security Author s : Choo, Kim-Kwang Raymond.
Digital Resilience: Security as a Global Public Good | Swiss Re
Title: Governing beyond command and control: A responsive and nodal approach to child protection Author s : Harris, Nathan Wood, Jennifer. Title: Who should the police be? Title: Catch Exploring victim interests in a specialist family violence jurisdiction Author s : Holder, Robyn.
Title: Study on information security incidents reporting and information sharing mechanism in taiwan - from the viewpoints of the united states' experience Author s : Chang, Yao-Chung Lennon.
Related Global Initiatives to Secure Cyberspace: An Emerging Landscape (Advances in Information Security)
Copyright 2019 - All Right Reserved