This post originally appeared on the Packet Pushers’ now-defunct Ignition site on October 1, 2019.
Insurance companies that offer cyberinsurance policies are looking at ways to reduce their risk (and improve profit margins) by discounting for companies that deploy reviewed and approved technologies.
Company executives will make decisions about the cost and value of cyberinsurance and, almost certainly, they will do this from a position of ignorance and incompetence. They know very little about technology and cybersecurity and believe they know a lot about insurance and business. Accountants will see a reduction in insurance costs as a validation of their role. IT will generally be ignored for business issues that they could not possibly understand.
So it’s worth considering what is happening here at some length.
Reduce Risk
It should be no surprise that cyberinsurance companies are looking for ways to reduce their exposure from clients who are bad at security:
Cyber Catalyst by Marsh, launched earlier this year, convened cyber insurers Allianz, AXIS, AXA XL, Beazley, CFC, Munich Re, Sompo International and Zurich North America to identify products and services they consider effective in reducing cyber risk. Marsh said more than 150 cybersecurity offerings, spanning a broad range of categories from hardware to messaging security to Internet of Things (IoT) security, were submitted for evaluation.
The result? Seventeen products that this group of insurers agree will reduce their risk.
Insureds that adopt Cyber Catalyst-designated products may be considered for enhanced terms and conditions on individually negotiated cyber insurance policies with participating insurers.
The evolution criteria seems reasonably sound:
What are the evaluation criteria the participating insurers use to evaluate cybersecurity solutions?
The eight insurers participating in Cyber Catalyst voted independently on each solution, with Marsh tallying the votes and Microsoft serving as technical advisor. The insurers evaluated cybersecurity solutions that address major risks, including data breach, business interruption, data theft or corruption, and cyber extortion. In evaluating these solutions, insurers used six criteria:
1. Reduction of cyber risk: demonstrated ability to address major enterprise cyber risk such as data breach, theft, or corruption; business interruption; or cyber extortion.
2. Key performance metrics: demonstrated ability to quantitatively measure and report on factors that reduce the frequency or severity of cyber events.
3. Viability: client-use cases and successful implementation.
4. Efficiency: demonstrated ability of users to successfully implement and govern the use of the product to reduce cyber risk.
5. Flexibility: broad applicability to a range of companies and industries.
6. Differentiation: Distinguishing features and characteristics.
Some of these criteria are broad and leave a lot of room for discussion, but there are stakeholders like Microsoft assisting. While Microsoft has proven incompetent at infrastructure security for the last thirty years (pssst MS Windows) it’s very good to have a monopoly IT business adding weight to your program. Let’s pretend that Microsoft is not only protecting its revenue cash cow but doing something useful.
Freedom To Be Incompetent
As a general principle, the ‘freedom’ to choose your security infrastructure assumes that a business (insured party) has competent, capable technical staff supported by competent and capable managers to select, deploy and operate that infrastructure. This is provably false when you consider the number of public breaches and outages, not to mention the likelihood of a higher number of unreported events.
Insurance companies (and their actuaries) have realized that this ‘corporate competence’ is sufficiently false to proactively take steps. The insurer has limited options to enforce good security and reduce its risk. In fact, the act of offering insurance is more likely to decrease security spending and quality because, hey, I’ve got insurance. This is known as a moral hazard:
The most common form of moral hazard is in car insurance. Drivers without insurance drive much more carefully and have less accidents than drivers with insurance. The very act of insurance means that majority of the impact of an accident is transferred to insurance company who will pay for damage to your car and any third party. It’s proven that car insurance increasing driving accidents and this creates adverse outcomes. Source:
It is reasonably true that for some companies, being compelled to use specific technologies/products/vendors will reduce the effectiveness of their security posture. These companies will complain loudly. This attitude misses the point that insurance companies need a sufficiently large pool of premium payments to make the insurance game work. A large pool of insureds is achieved by writing policies and making a profit margin by not paying out on claims.
The $125 billion cybersecurity marketplace offers thousands of products, but companies can find it challenging to evaluate those offerings given limited resources and expertise. Source – Marsh
Logically, if your team is really good at cybersecurity then you don’t need cyberinsurance. Except you have zero guarantees that the company is actually secure because your IT assets have been widely proven to be unsafe and impossible to protect. Case in point: Microsoft Windows, printers, cloud services. Executives are unlikely to bet the business on security professionals who have demonstrated consistent failures and incompetence for decades as an industry.
Moral Hazard
It is also obvious that companies with poor security practices are more likely to sign up for insurance. This is much easier than solving problems, particularly when dealing with security professionals, vendors, and consultants is such a painful process. Heck, just selecting security solutions from enormous range of choices is a serious exercise.
People complain about PCI auditing and reviews while missing the truth: PCI is used to improve companies that are incompetent and incapable or to remove them from the PCI risk pool altogether; i.e. it’s easier to use a payment processor than to do it yourself. This prunes the low-hanging branches and improves the market for all participants that remain.
Cyberinsurance may choose to copy this strategy to improve its business model. You might notice this means they don’t care about your business. Yes, this might make your business change its infrastructure supplier, force changes in yor security processes, and might even reduce your security function. Collateral damage is normal, see PCI.
What’s also true is the actuarial analysis is much better at evaluating risk than you or I. Those people are smart and they spend years analysing data before establishing an insurance pool. They will have considered the negative impacts and likely concluded that your objections do not matter in the bigger picture.
I’m going to leave the topic of vendor rationalization alone. If enough insurers adopt this process, then this list will define a lot of sales opportunities. Perhaps even enough to kill off some of the smaller players, which would be very welcome.
References
17 Cybersecurity Products the Cyber Insurance Industry Says Are Worthwhile : https://www.claimsjournal.com/news/national/2019/09/25/293273.htm
FAQ: https://www.marsh.com/content/dam/marsh/Documents/PDF/US-en/cyber-catalyst-general-faq.pdf
Link: Cyber Catalyst by Marsh – https://www.marsh.com/us/campaigns/cyber-catalyst-by-marsh.html
