The takeup rate of cyber insurance is rising, but the market’s growth to date has been uneven. Anne Hobson, a technology policy fellow at the R Street Institute, may have a solution to that problem. She proposes that the federal government, as a high-profile cyber target and large user of connected devices, is well-positioned to address the uniformity problems currently afflicting cyber-insurance policies by introducing a financial responsibility requirement for some of its most vulnerable vendors and contractors.
In a new paper, Hobson takes stock of the risks presented by growth of the so-called “internet of things.” The “things” are objects, hitherto unconnected, that are now being networked for our convenience. Each of these objects has the ability to send or receive data, often to do both, and is, as a result, susceptible to breach and malicious misuse.
She reasons that, beyond outright ignorance of the existence of cyber insurance, the principal reason firms fail to carry coverage is that the policies are both complex and nonstandard. Thus, while there is reason to believe the takeup rate will continue to climb as the market grows, a step taken to introduce some level of uniformity to the market may speed that process further.
But finding a benign way to introduce greater uniformity to cyber-insurance offerings is challenging, particularly given that the long-predicted rapid growth of the cyber-insurance market is now meaningfully underway.
Nigel Pearson, global head of fidelity at Allianz Global Corporate & Specialty recently noted that “the cyber market is growing by double-digit figures year-on-year, and could reach $20 billion or more in the next 10 years.” His prediction was echoed by similarly bullish analysis from Allied Market Research. Allied projects the cyber-insurance market will reach $14 billion in written premium in five years, by 2022.
Despite those developments, growth has been uneven. While firms in some sectors, particularly large firms in financial services, are now more likely than not to carry some level of cyber insurance, the vast majority of small and midsize businesses do not. The risk for such firms is large and growing. In fact, according to Hartford Steam Boiler, 60 percent of small and midsized businesses that experience a cyber attack go out of business within six months.
Hobson argues that prescriptive regulations establishing cybersecurity standards would do more harm than good for firms of all sizes, but that federal agencies can help encourage the fast-developing cyber-insurance market by insisting that internet-of-things contractors be held financially responsible for any liabilities created for taxpayers as a result of cyber-attacks on their products or services.
The rationale for such a requirement is twofold. First, it is important to insulate taxpayers from the costs associated with a breach. In Hobson’s own words:
In the case of a cyber-attack or data breach that stems from the insecurity of a contractor or vendor’s system, the contracting agency…could have to expend resources on a host of ancillary costs, which can include DDoS mitigation services, forensic investigations, user notifications and data recovery. Rather than pass such costs onto the taxpayers, agencies and government purchasing agents should assert in contractual language their right to subrogate these liabilities from the contractor or vendor.
Second, greater adoption of cyber insurance would help to improve cybersecurity itself, as it would align security incentives. As firms go through the cyber-insurance underwriting process, they are made to audit their cyber vulnerability and to address problems as they are uncovered. For their part, insurers have every reason to ensure that firms maintain a vigilant cyber defense. Thus, each party has an independent pecuniary incentive to foster an effective ongoing cyber defense.
Congress is eager to improve the nation’s cybersecurity preparedness. But instead of a cyber-insurance backstop for large risks, or a prescriptive set of security requirements for small firms to follow, Hobson concludes that the best thing that it can do is set an example as a market participant. By taking a modest step, Congress can both expand the universe of firms with cyber insurance and bolster the nation’s cyber preparedness. That’s a win-win.