Cyber Insurance: Why is Growth Stymied?Congress Hears Testimony About Lack of Actuarial Data
A dearth of actuarial data stymies the growth of the cyber insurance market, industry experts told Congress at a March 22 hearing.
See Also: Data Center Security Study - The Results
"Unlike fire insurance, [cyber] insurers do not have 100 years' worth of cyber loss data that they can use to build out new policies," Thomas Finan, a former Department of Homeland Security strategist who helped launch DHS's Cybersecurity Insurance Initiative, testified.
Finan, now chief strategy officer at Ark Network Security Solutions, and other witnesses testifying before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, called for the creation of a repository of cyber insurance data, including claim information and payouts, not only to support insurers creating cyber insurance policies but also to help enterprises gain a better understanding of the cyber risks they face.
None of those testifying called for the federal government to run the repository, but some suggested the government could furnish funding and other resources, a point emphasized by the subcommittee's chairman. "I'm committed to ensuring that legislators help facilitate - but not mandate - solutions to better protect our private sector networks against cyber adversaries." said Rep. John Ratcliffe, R-Texas.
Repository of Cyber Data
Some of the experts see a repository as also providing a centralized platform to share the information that many companies retain about hacking activity. "Making this data available centrally can inform analysis of long-term trends for insight into the effectiveness of security practices," said Matthew McCabe, senior vice president of the insurance brokerage Marsh.
McCabe said carriers, their business customers and regulators could potentially use the data to analyze whether certain security protocols or practices have effectively mitigated cyber risks. The government and industry, he added, also could analyze whether organizations that have implemented cyber practices using the cybersecurity framework published by the National Institute of Standards and Technology have proven more resilient in withstanding cyberattacks.
In the wake of the recent passage of information sharing legislation, he said, government and industry could explore whether the greater availability of cyber threat indicators has enabled organizations to fend off malevolent actors.
"The greater availability of cyber incident data to strengthen underwriting may also facilitate market forces to address current and future risks, and eventually encourage further carrier participation," McCabe said. "Better data could also enable the insurance industry to introduce solutions to close gaps in current coverages and to determine how to best detect and mitigate future incidents, or to reduce incident response times and facilitate recovery."
Pricing Cyber Insurance
Gathering the right data is critical in getting insurers to properly price cyber insurance policies. "If a product is priced too low, the insurer may not have the financial means to pay claims to the policyholder," said North Dakota Insurance Commissioner Adam Hamm, who testified on behalf of the National Association of Insurance Commissioners. "If too high, few businesses and consumers can afford to purchase it, instead opting to effectively self-insure for cyber incidents, limiting the ability of the insurance sector to be used as a driver of best practices."
Cyber insurance tends to be more customized and more expensive than other forms of insurance. Gathering and analyzing data about cyber incidents, some witnesses testified, could help carriers to standardize cyber policies they offer and, perhaps, bring down prices and extend coverage.
"Because this line of insurance is still in its infancy," Hamm said, "we're basically at a point where if you've seen one cybersecurity policy, you've seen one cybersecurity policy."