Can behavior-based cyber insurance improve cybersecurity?
The concept of rewarding insureds for good behavior could extend to mitigating cyber risks.
Cybersecurity is a real and growing concern for companies of all sizes, but it can be difficult to accurately assess the risk of exposure and likelihood of a successful cyberattack. With the average cost of a data breach currently sitting at $3.62 million, according to the Ponemon Institute, it’s not something you can afford to ignore.
Related: How to sell the value of cyber liability insurance
For most businesses, the cost of reducing the risk to zero is simply too high. The threat of ransomware, employee error, software vulnerabilities and other risks is growing. It requires expertise that is in short supply and the right tools to safeguard your business, but cyber insurance could cover the gap. No wonder then that the market is forecast to grow to almost $17 billion by 2023, according to P&S Market Research.
However, careless companies with poor security postures could be driving up premiums for everyone else.
Rewarded for sensible behavior
The concept of insureds being rewarded for good behavior, in the form of lower premiums or other incentives, already has a great deal of traction in the insurance market. The advancement of telematics has paved the way for new levels of driver monitoring, so that carriers can recognize good drivers far more easily than before. Fitness tracking is beginning to have an impact in the health insurance field. Why can’t the same concept be applied to cyber insurance?
Businesses are slow to implement preventive measures, according to KPMG, because they don’t understand the value. Incentives in the form of premium discounts could change all of that, improving security, reducing incidents, and ultimately reducing what carriers must pay out. It’s the win-win concept at the heart of good insurance — reducing risk is good for everyone.
How do you measure?
What is required for behavior-based cyber insurance to work is an accurate, swift and reliable method of measuring the current state of a company’s security. Sending out in-depth questionnaires is fraught with difficulty. When technical questions might result in denial of coverage or higher rates, it’s tricky to guarantee the accuracy of answers. Sometimes the prospect simply doesn’t know, because an alarming number of businesses lack real insight into the potential threats.
Related: Keeping client data safe while processing insurance claims
While auto-insurers can draw reliable data from black boxes to map driver behavior and uncover risk, it is not that easy with cybersecurity. Carriers need metrics to help them distinguish between high and low risk applicants. The ability to assess the actual cybersecurity posture of the enterprise could be enormously valuable. Just as FICO scores might be stirred into the mix when carriers assess individuals, PCI and HIPAA compliance could be employed when assessing companies and their partners.
Driving improvements
An automated and standardized method of fully assessing an organization’s security posture across the hybrid cloud and on-premises would give the carriers the data they need, but also help highlight issues that companies need to remediate. Benchmarks and regulatory frameworks have clear rules that can form the basis of thorough assessments.
Related: The GDPR cyber insurance checklist: Are you covered?
The investigation of potential threats and the business losses that might result from things like network downtime, data theft and reputational damage builds a strong case for the organization improving its security posture and points the way to do it. If businesses can reduce cyber insurance premiums and improve security at the same time, the value becomes clear.
Cyber insurance is essential
Though the risks are acknowledged, uptake of cyber insurance has been fairly slow so far. Last year’s Cyber Market Survey from the Council of Insurance Agents and Brokers (CIAB) found that just 32% of respondents’ clients had purchased some form of cyber liability or data breach coverage in the previous six months.
However, things are improving and this year’s survey reports the demand for cyber insurance is greater than any other line of business with 79% of respondents reporting a “somewhat” or “significant” increase in demand.
The trend is clear. Cyber insurance is a vital part of any modern security program. There’s an opportunity here for forward-thinking carriers to integrate automated risk posture assessment and offer lower premiums for careful companies. In the tradition of great insurance products, this will drive tangible improvements and reduce risk for all concerned.
Jack Kudale is chief operating officer for Cavirin Systems, a provider of continuous security assessment and remediation for hybrid clouds, containers and data centers. He was previously CEO of Lacework, a cloud security startup, and held senior roles at SnapLogic and CA Technologies. Contact him at jack@cavirin.com.