The Expert Podcast

So what's the big deal with cyber insurance and why is it such a mysterious item? If you're a business or an enterprise that has cyber insurance—maybe you have it as part of an existing policy, maybe it's a standalone policy, maybe you don't have it at all—cyber insurance is much different than other types of insurance. Fire insurance, slip and fall, professional liability, E&O insurance, even umbrella insurance is completely different from cyber insurance. This is a great article that talks about why there is a hidden problem—an infrastructure problem within cyber insurance that makes it different, and these are things you should be aware of as a business owner even if you've not been affected by it.

There's a growing risk of assaults on your digital assets—your servers, your data, your customer information. It seems like it's invisible; you don't see it every day like you see your building, your desks, your employees. All your data is kind of hidden. It's only visible when you look at it on the screen, but the risks to those for catastrophic loss is immense. It's probably bigger than the risk of your building burning down. If your building burned down, your business could still operate in a different building. Your business is really an intangible item that's baked into your data and your customer information.

The insurance industry is discovering that this risk is more than meets the eye, and it's not the insurance industry's fault—they're just figuring this out. This is a relatively new product. Technically, cyber insurance came out in the early 2000s, but in reality, it didn't become a mature product that had a defined scope until really 2010 or 2011. So it's roughly 10 years old. That may seem like a long time, but other types of insurance have been around for 40, 50, 60, 100 years—fire insurance, for example. So cyber insurance being around for 10 years is like an infant.

Plus, even that 10 years is different because during that time cyber risks have changed every year. The hackers and the cyber attackers come out with new methods. So it's almost like every year it's a new environment, a new landscape for risk. Insurance companies are just now wrapping their heads around the size of that risk. You know, a small hack that shuts down one link in the supply chain can have a ripple effect over many types of large-scale losses, damage, injury, and even death.

There's been hacks that have gone into hospital infrastructures that have shut down life-saving machines. There was a fire station that had their computer shut down where they couldn't operate their equipment and couldn't respond to fires. Even private companies sometimes are part of a supply chain that's life and death. Admittedly, the insurance companies coming up with answers to really what's happening isn't so easy—it's an unpredictable market according to this article.

The coverage started out as a small means to deal with inconvenient or annoying hacks that happen to businesses, but now when the crisis level events are bigger, the insurance industry has to ensure an event that has no limit on the amount of damage it could do. Most types of insurance can rely on previous data—like car insurance, they can go back and say, well, what are the records for car crashes, for injuries, for damage? You don't have those same records for cyber liability insurance, plus it changes every year like we said.

With respect to automotive insurance, there can be a limit on it. Well, a car is worth only so much, and injuries and damages can only be so much, so you can have an upper limit or a rough upper limit on what happens with a car crash. With ransomware and other cyber attacks, if it hits some type of infrastructure or facility that has a ripple effect on the economy, the risk could be really unbounded. There could be no upper limit on the dollar amount of risk.

So how does the insurance company know how to price their product? How to price their insurance premiums? Not only that, but the frequency of these attacks changes every year. With car insurance or fire insurance, you know what the percentage of insured is going to have a claim. You know what percentage of insured is going to have an impact event on their property. With cyber insurance, there's really not a lot of data that shows what the percentages are in the coming years.

The problem with insurance is you can only price your product on previous claims experience. You can't guess about the future. Most states don't allow you to price your products that way—you have to go by what previous losses were. So if your previous losses have no bearing on what the future is going to hold, you don't know how to price your product. So it's really just like flying blind. In some cases, insurers are not even writing policies because they don't know what their losses are going to be, which is understandable.

There's even been a call for a government to provide a backstop for cyber liability because it's such a big loss potential that the insurers may not be able to account for all of it. There needs to be some larger facility to take care of these risks for small and large businesses. Look, if there's some major cyber attack that hits multiple businesses and government infrastructure and even private sector large-scale companies, it could be catastrophic and shut down a large part of the economy. If that happens, the losses could exceed the ability of insurers to compensate for that. It could exceed the ability of remediation to fix the problem.

So this is a government-level hypothetical issue. Regardless, if you're a large or small company, you should have some type of cyber coverage if for no other reason to get insight from the industry to know what you should do to try to prevent these from happening and to have some coverage if a small event happens.

The other variable is, you know, most insurance companies have minimal procedures you have to follow—minimal best practices. If you have insurance, you have to follow these best practices, and if you don't follow them, your insurance is invalid. Things like passwords, protecting logins, and protecting your computer servers from direct attacks—they'll give you the best practices and that's a good thing to follow anyway because even if you have insurance, having a cyber attack is going to be inconvenient at best and catastrophic at worst.

Even if you have insurance that will make you whole afterwards, if you're out of business for two or three weeks, you might never be able to bring back all your customers and your employees. So following these best practices is a good idea. But if you have insurance comparison from five different major cyber liability insurance companies, you may find the best practices vary from one to the other.

And what does that tell you? Which one is right? Which one is wrong? Well, at least if you're doing something that's good, but there could be some kind of standardization, and that's where the government could come in to write standards or maybe even somebody like ASTM or some other standards-writing organization could create some type of minimum best practices that all the insurers could adopt to make sure that infrastructure is better protected.

The interrelationship between the different companies that are insured would match. So if you have a subcontractor and a vendor and a supplier all have the same best practices in place, it's unlikely that a hacker could find the weak link of the chain. It could find the open port in all of that supply chain to get in and infect the entire ecosystem that could bring down the whole economy.