Traditional insurance practice involves insulating the insurer’s operational risks from the risks they are insuring. This means that maritime shipping insurance companies don’t place their headquarters aboard ships. Those that insure floods don’t have offices in floodplains. Usually, it’s geography that allows the insurer to escape the risk, but not always. Solar storms and coronal mass ejections can strike anywhere on the planet, but they still get insured. There are some methods for shielding electronics from the effects of solar storms and those can be used to reduce the risk to insurers of such events.
The prevailing core question within cyber risk is related to defining, modelling and understanding the underwriting risk associated with cyber insurance. At the Centre for Risk Studies, we like to posit difficult questions. We think another core question is whether cyber-insurers can reduce their own operational risk transparently and measurably? It is important that they can, for consumer confidence, to add value and to hedge their own risks.
Let’s examine two incidents from recent news to help us illustrate the operational risks:
Anthem was recently breached and personally identifiable information (PII) of 80 million of its customers was found circulating the web. Anthem is itself a health insurance company and there’s no need to pick on it in this situation. This could have happened to a great deal of insurance companies. It is simply a single data point of a deeper operational risk of the cyber-insurability base case. The point here is that, collectively, the insurers must be able to resist these types of breaches themselves in order to build confidence in their ability to insure such risks. The risk management of the insurability risk must be built on a solid foundation of managing the operational cyber risk.
Additionally, insurance companies are not used to being impersonated. Particularly during a crisis. Yet that is precisely what happened immediately following publicity of the breach. Adding insult to injury, the very authority and agency a compromised organization holds can be abused to harm both themselves and their customers a second time. This is not uncommon in these types of cases – indeed is a confidence trick dating back to at least the 1800s (Victor Lustig once impersonated a high government official to sell the Eiffel Tower, TWICE). Is there any surprise this tactic of impersonating authority figures and hitting the same victims more than once continues and proliferates in cyber space as well?
What cyber-insurers need to think about here is how they’ll aggregate loss under such conditions and what measures they can take to divide the operational risk from the insurance underwriting risk.
Now, let us discuss a related correlated risk: insurers don’t just purchase and use vulnerable software, sometimes they produce it. They do this in good faith, to gather useful data for actuarial tables. However, just because it’s possible to gather information doesn’t mean you aren’t adding risk to the ecosystem by doing so. Let’s use a concrete example: cars can be hacked, but today they are not frequently connected to the internet. However, those familiar with such matters are also aware of what networking geeks call “delay tolerant networks”, or we casually call “sneakernets”. For example, the diagnostic computer your garage plugs into your car. These computers are connected to the internet and can carry infections. Malware can be transitive across such machines from the internet to the “air-gapped” targets, and we have many previous examples of such stories. While it is unprofitable today to write malware for cars, that will change when someone finds a way to monetize it. Why does this hypothetical situation matter?
Well, a USB dongle used to gather telemetry today will be the infection vector of tomorrow. Progressive has written just such a dongle and Corey Thuen has demonstrated the risk it could impose in the future if it ever became a widely deployed “sneakernet” into cars.
Again, it could happen to any company that develops software, not just Progressive. We’re not picking on them but the point is that any company that wants to insure against cyber attacks on others had better find a way to insulate itself and demonstrate the capability of writing secure software.
Smart insurers will see the signs and be thinking about ways to protect their own networks, buy more secure software and hardware in the future, and manage the supply chain risk that is critical to the cyber security equation. Insurers need to take a look at their operational risk as well as their underwriting risk in the cyber domain.
We are optimistic that in time these will get answered or solved, and that the risks will become insurable. We only urge caution that there is a great deal of work still to be done. Some cyber insurance markets are more mature than others. At the Centre we’ve rolled up our sleeves and starting solving the problems we can. However, ultimately, the question of insurance companies insulating themselves from cyber risk is one they have to answer for themselves.
Of course, this is not the only cyber insurance related question. Our next blog will focus on whether cyber is insurable from an underwriting perspective, or more importantly, which hacking events are ready for cyber insurance and which aren’t.