While wading through the hundreds of security predictions I received last month, most of what I saw was expected – thoughts about the future of ransomware, DDoS attacks, the Internet of Things security, and even artificial intelligence and machine learning. What did surprise me was the number of predictions made about cybersecurity insurance. That’s not a prediction topic that normally makes its way into my mailbox; in fact, it is a topic that rarely comes up in my discussions with security professionals. That’s why one mention of a cybersecurity insurance prediction caught my eye. And then I noticed it mentioned multiple times and wondered why.
Cyber insurance is on the rise, as more companies adopt plans and more underwriters expand their portfolio and grow their premiums, Jake Olcott, VP of Business Dev at BitSight, explained to me in an email. Okay, that makes sense. While I couldn’t find corresponding information on U.S. companies and the adoption of cybersecurity insurance, I did note that these types of insurance plans grew by 50 percent between 2015 and 2016 in the UK. According to Infosecurity Magazine,a CFC Underwriting poll found:
Some 23 percent claimed the “fear factor” of a costly attack had driven them to invest in insurance, while even more (26 percent) cited the European General Data Protection Regulation (GDPR) as a factor. . . . Over half (53 percent) of respondents claimed that electronic computer crime will likely lead to an increase in insurance claims, followed by “non-physical business interruption” (25 percent).
The problem with cybersecurity insurance, Rick Tracy, chief security officer and Senior VP at Telos Corporation, told me, is that there isn’t a great deal of actuarial data to help insurance carriers underwrite cyber risk, which means the aggregate effect of cyber risk and the financial liability it poses are critical concerns for the insurance industry. This is why Tracy’s prediction stated:
Moving forward, not only will it be important for insurance companies to better understand the risks facing individual clients, but they will need to view this data over their entire portfolios to understand aggregate risk and ensure they are not over extended.
Olcott said he believes to make cybersecurity insurance credible and to justify its costs, companies and underwriters will use a Big Data analytics approach in 2017, adding:
Beyond the data, there will be a new focus on what happens during the lifetime of a business relationship. Underwriters will begin developing programs that drive better security hygiene. In the same way that health insurance providers developed no-smoking policies or provide discounts for gym memberships, cyber insurance underwriters will reward companies for taking a more proactive approach toward cybersecurity.
That idea corresponds with the prediction from Emy Donavan, North American head of cyber for Allianz Global, who thinks that we’ll see cyber insurance policies that are tailored for specific industries, rather than a one-size-fits-all approach.
Although I don’t expect to hear a lot about cybersecurity insurance going into the new year, I do think that we’ll see new approaches to insurance coverage, especially as the threat of cyberattacks rise.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba