The promise and limits of private cyber insurance
Cyber vulnerability is a source of significant risk for both the public and private sectors. Because of the expansive and evolving nature of the world’s cyber environment, making definitive assessments of what constitutes “cyber risk” has proven a challenge. Understood expansively, cyber risk includes “operational risks to information technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems.” By extension, this definition encompasses not only intangible assets, like information, but also physical assets and the damage caused to them by cyber-attack vectors.
To cope with cyber risk, firms are beginning to turn to private risk-transfer mechanisms. Of those mechanisms, cyber insurance—the transfer of financial risk associated with information technology to a third party—is the most prominent. Indeed, because traditional liability insurance coverages currently are not designed or priced to encompass cyber risks, an entirely new field of products is being developed and deployed to manage such risks. Given the cyber-insurance market’s relative novelty, the parameters of its capacity to mitigate the effects of cyber-attacks thoroughly and effectively have not yet been definitively outlined. Cyber risk encompasses both low-frequency/high-severity type events, as well as more common “day-to-day” threats. The latter, specifically data breaches, have thus far presented a disaggregated cost of roughly $3.8 million per event. Encouragingly, to date, policies with $50 million limits would be able to cover roughly 92 percent of cyber-event claims.
But the potential for larger, so-called “black swan” events also poses an as-yet unquantifiable risk to private industry and civil society alike.
The specter of such events raises a series of questions: does the insurance industry as a whole (including reinsurers and capital-markets entities) currently have the appetite and capital necessary to underwrite all or nearly all cyber risks that firms and individuals may wish to transfer? If it does not, is there a case to create any sort of backstop, pool, public reinsurance facility or other government insurance entity devoted to cyber risk? Finally, would creating such a facility—like the United States’ existing Terrorism Risk Insurance Program or perhaps a federally sponsored pool similar to the United Kingdom’s Pool Re— displace private sector capacity or create undesirable moral hazard?
Finding answers to these questions will be paramount to the prospects for our connected future. Those answers will bear directly on the level of control over cyber governance and functionality that governments—the U.S. federal government, in particular—are able to exert over private actors. Ultimately, the more the cost of our continued explorations of cyberspace are borne by the public, the less say any individual member of that public will have over their own interconnected destiny.
Image by welcomia