This latest Opinion piece looks at Why We Need a Public-Private Partnership to Grow the Cyber Insurance Market. It’s by Seth Rachlin, Ph.D. Global Insurance Industry Leader, Capgemini.
We are only beginning to assess its impact. To date, the Orion Solar Winds cyber event has impacted upwards of 250 government agencies and businesses. By the time its full extent is known, it may be the most widespread security breach on record. While its scale may ultimately make it unique, the Solar Winds event reflects a disturbing trend: the use of the technology supply chain to distribute malware farther and wider than other exploits. Like the catastrophic Notpetya event of 2016 — which started with an attack on a Ukrainian tax software provider — the Orion Solar Winds perpetrators exploited a “routine” patch to distribute malware across hundreds of targets. This breach has focused attention on businesses’ dependence on the security practices of its technology ecosystem and the systemic vulnerability of the cyber world to a few key software providers. It has made enterprises realise that, even with the latest and greatest security technologies and processes, they are still at risk.
One would think this is good news for the cyber insurance market. With annual growth rates in excess of 25%, cyber insurance is already the fastest growing segment within the commercial P&C market. And at $7B in global annual premium per year, it has significant headroom. S&P estimates cyber risk costs businesses in excess of $700B each year, suggesting that cyber insurance has barely scratched the surface of its potential. High profile breaches like Solar Winds raise awareness of cyber risk. They demonstrate the potential value of insurance as a complement to technology and process control frameworks in a holistic enterprise cyber risk strategy. They are market makers when it comes to cyber insurance.
But ultimately, Solar Winds and attacks like it could be market breakers as well. Cyber insurance originated as a response to hackers who target specific companies intending to steal data or disrupt operations. Its payouts cover the costs of providing restitution to customers whose information was stolen, restoring operations to their pre-breach state, and addressing regulatory fines or penalties.
Despite its technology focus, it is very much a traditional insurance product. The premiums paid by the many indemnify the losses incurred by the few. Widespread losses and systemic disruption – the likely consequence of technology supply chain attacks in the future – are ill-suited to this traditional model. While the industry has adapted to handle catastrophic weather events like hurricanes, there is a fundamental difference with cyber. Hurricanes are geographically concentrated. Attacks on the technology supply-chain know no such boundaries: Notpetya started in Ukraine but impacted the entire globe like a storm that hits the world’s entire coastline at the same time.
Cyber events are increasingly targeting the technology supply chain and calling into question the ability of the private insurance industry to address the systemic risks of a hyperconnected world. How will the insurance industry adapt? The conventional answer – raising premiums and tightening policy language with exclusions – will substantially constrain cyber insurance market growth. The insurance simply won’t be worth buying. A better answer will require a significantly enhanced partnership between the industry, governments and the technology industry.
Fortunately, a model for the future can be found in the industry’s experience after 9/11. In response to an immediate and exponential increase in terrorism risk subsequent to the attacks on the World Trade Center and the Pentagon, governments and reinsurers partnered to create public/private risk pools to be invoked in the event of a future terrorist attack. This public/private partnership – similar in many respects to reinsurance capacity provided against windstorm by the State of Florida – stabilised the property insurance market by providing it a new catastrophe “backstop.”
A similar approach could most certainly be applied to systemic cyber events resulting from supply chain and other ecosystem exploits. Such a backstop could operate as a form of stop-loss reinsurance, triggered by a predetermined metric such as total losses incurred or number of businesses impacted, and paid out against losses spread across a broad ecosystem of insureds. Funding such a pool could come from a combination of premium from insureds, fees paid by technology firms in exchange for agreed limits on their liability for breaches for which they are responsible, and taxes. With such a pool in place, the cyber insurance market can remain stable and insurers can price and cover the types of risks the product was designed for. The time to create such a structure is now, before a cataclysmic cyber event which makes it seem a necessity in retrospect.