The promise and limits of private cyber insurance

Dec 15, 2016

The wonders of the Internet Age have brought with them a previously unimagined level of interconnectedness among people and institutions around the world. The power and mobility of modern computing devices was scarcely contemplated even by popular science fiction like Star Trek and the Jetsons. Since the 1960s visions of fantastical futurescapes, it’s become possible with only a device and a cellular network to make international calls, do mobile banking and gain access to a fair proportion of the world’s collective knowledge. This connectedness is an unalloyed good for the cause of freedom. However, it also has, from its outset, been subject to serious threats. The information passing freely through cyberspace grows in value each day and, for that reason, is a more valuable target for would-be malefactors.

Cyber vulnerability is a source of significant risk for both the public and private sectors. Because of the expansive and evolving nature of the world’s cyber environment, making definitive assessments of what constitutes “cyber risk” has proven a challenge. Understood expansively, cyber risk includes “operational risks to information technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems.” By extension, this definition encompasses not only intangible assets, like information, but also physical assets and the damage caused to them by cyber-attack vectors.

To cope with cyber risk, firms are beginning to turn to private risk-transfer mechanisms. Of those mechanisms, cyber insurance—the transfer of financial risk associated with information technology to a third party—is the most prominent. Indeed, because traditional liability insurance coverages currently are not designed or priced to encompass cyber risks, an entirely new field of products is being developed and deployed to manage such risks. Given the cyber-insurance market’s relative novelty, the parameters of its capacity to mitigate the effects of cyber-attacks thoroughly and effectively have not yet been definitively outlined. Cyber risk encompasses both low-frequency/high-severity type events, as well as more common “day-to-day” threats. The latter, specifically data breaches, have thus far presented a disaggregated cost of roughly $3.8 million per event. Encouragingly, to date, policies with $50 million limits would be able to cover roughly 92 percent of cyber-event claims.

But the potential for larger, so-called “black swan” events also poses an as-yet unquantifiable risk to private industry and civil society alike.

The specter of such events raises a series of questions: does the insurance industry as a whole (including reinsurers and capital-markets entities) currently have the appetite and capital necessary to underwrite all or nearly all cyber risks that firms and individuals may wish to transfer? If it does not, is there a case to create any sort of backstop, pool, public reinsurance facility or other government insurance entity devoted to cyber risk? Finally, would creating such a facility—like the United States’ existing Terrorism Risk Insurance Program or perhaps a federally sponsored pool similar to the United Kingdom’s Pool Re— displace private sector capacity or create undesirable moral hazard?

Finding answers to these questions will be paramount to the prospects for our connected future. Those answers will bear directly on the level of control over cyber governance and functionality that governments—the U.S. federal government, in particular—are able to exert over private actors. Ultimately, the more the cost of our continued explorations of cyberspace are borne by the public, the less say any individual member of that public will have over their own interconnected destiny.

Image by welcomia