The latest information from the Target data breach suggests that it suffered losses of $248 million. Thank goodness they had insurance. Well, sort of. They were covered for up to $100 million, which means it will only cost them $148 million. Yikes.
As you may have read elsewhere, cyber insurance is a growing business with premiums nationwide expected to reach $2 billion (PDF) this year. These policies are meant to cover losses stemming from data breaches and other kinds of security incidents. Sony says it has insurance to cover its most recent hack, though there isn't much any policy can do to mitigate the embarrassment from the leaked executive emails.
What cyber insurance can do, however, is help reduce the losses from data breaches to begin with. Except that it isn't. Let me state upfront that I am a strong proponent of cyber insurance. Insurance companies and the companies that offer them can play a critical role in informing corporations about effective security controls, monitoring the use of those controls, and therefore help reduce the probability and magnitude of data breaches and other security incidents. I emphasize the words “can play” because all indications suggest that insurance companies are squandering this amazing opportunity. Let me explain.
First, aside from the typical contractual details of the actual policy (defining coverage, triggers, exclusions, endorsements, etc.), firms seeking cyber insurance are presented with a security questionnaire. This questionnaire can run from just a few pages to more than 10, and it queries the firm on the various forms of information technology governance policies as well as technical security controls that the firm employs. For instance, the questionnaires ask about the number of full-time IT security staff that are employed, how many of them possess information security certifications, the number of consumer records kept (which may contain financial, health or other personal information) and the use of encryption by the company for storage and transmission of data, to give just a few examples. This is a familiar practice in the insurance industry. When you apply for car insurance, for example, the insurance company will identify whether your car is equipped with anti-lock brakes, a security system and special traction control devices. When you apply for health insurance, you are asked about your medical history and current health behaviors such as your frequency of smoking and drinking. It's a common and perfectly reasonable process.
While this sounds good, there are a couple of major problems with these security questionnaires. It is unclear how an insurer should interpret the responses. While most people would agree that having a firewall or proper network access control is better than not having a firewall and no access control, it is unclear how an underwriter would interpret and operationalize the answers to these questions. Exactly what reduction in premium should an insured party enjoy for employing two-factor authentication or implementing a vulnerability management program? As someone with over a decade of experience as an information security professional, even I would find this difficult. Further, in conversations with carriers and brokers, it doesn't seem that these questionnaires are used for anything other than a rudimentary examination of basic controls — if even that.
Another problem with the questionnaire is that even if it was useful at the time of the policy adoption, cyber threats and defense capabilities change, and therefore IT systems and software applications require updating, patching and reconfiguring, as well as monitoring by a third party. Without a reoccurring process for evaluating the status of a company's security controls, what incentive is there for it to remain diligent against new threats, given that they already have cyber insurance coverage? Yes, a company would prefer not to appear in a news story of breached firms and avoid the costs of breach notification and potential third-party litigation. But if the firm has insurance to cover these losses, its only loss is the cost of the deductible. To be clear, the reduced incentives driven by being fully insured are not new. This is simply a moral hazard, and it exists with any insurance industry any time imperfect information is shared between parties.
The second reason that insurance carriers are missing a great opportunity is that, based on conversations with underwriters, they don't appear to be using their own claims data in order to better assess the risk of a company suffering a data breach and filing a claim. It would be a shame if this were the case because there are so many great questions that could be answered with these data. Having many observations makes proper statistical inferences possible, but even fewer observations still enables basic analysis. And yet it doesn't appear to be happening.
So why is that? Some suggest that there simply aren't enough data available for even basic analysis. If that's true, it would be a very good explanation — you can't work with what you don't have. But it would also imply that firms are buying policies, suffering breaches and not filing claims. This would suggest that cyber insurance is a very profitable business.
Another possibility is that the analysis is indeed being done, but no strong correlations are being found. That is, despite all the data available — security and otherwise — there are no strong indicators emerging as to what is more likely to predict (and therefore prevent) a data breach. If breaches are, indeed, random events, then this might make sense. Breached firms would simply be the victims of bad luck. But if they aren't merely random events, then we need to look more closely and identify those factors which best protect against hackers.
The point of this article is not to expose the cyber insurance industry as behaving badly, but to invite it to step up and use the beautiful data it has to help shape and improve the security posture of its clients. Everyone will benefit. Corporations will learn to identify which security controls really matter in preventing and reducing breaches; consumers will suffer fewer losses from breaches; insurance carriers will continue to profit when their insureds invest in the right controls; and, policymakers will see industries overall become more secure. This is one situation where common sense makes good business sense. My fear is that unless they act, the only ones who will profit will be the hackers and the insurance companies.
Sasha Romanosky is an associate policy researcher at the nonprofit, nonpartisan RAND Corporation.
This commentary originally appeared on U.S. News & World Report on March 6, 2015. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.