View all episodes on our Tell Me How: The Infrastructure Podcast Series homepage
This episode discusses the role of cyber insurance in strengthening cybersecurity outcomes and how the regulatory framework may affect the demand for cyber insurance.
This podcast series is produced by Fernando Di Laudo and Jonathan Davidar.
Listen to this episode on your favorite platforms: Amazon Music, Apple Podcasts, Google Podcasts, Podbean, and Spotify
Transcript:
Roumeen Islam: This is the World Bank’s Infrastructure podcast. In today’s episode, we discuss the market for cyber insurance and its effect on cybersecurity.
Some time ago, a medical services management company started its day like any other, only to realize its digital systems were not accessible. Why was that? Well, a ransomware, known as “Hello Kitty,” had encrypted all its information so that it was no longer available. And cyber attackers requested a ransom of $750,000. What was the company to do?
Facing business pressures, it decided to pay, but thanks to the guidance of its cyber insurer, both the ransom and income loss were recovered. Yet, these attacks are happening to many small and medium-sized companies, and attackers are asking for large amounts of money.
So how does cyber insurance help? Let’s find out.
Good morning and welcome. I am Roumeen Islam, host of “Tell Me How,” and my guests today are Tyler Moore, Tandy Professor of Cyber Security and Chair of the School of Cyber Studies at the University of Tulsa, and Daniel Woods, who is the Marie Curie Fellow at the University of Innsbruck in Austria. They will be speaking today about cyber insurance markets.
Welcome, Tyler and Daniel.
Daniel Woods: Great to be here.
Tyler Moore: Hello!
Roumeen Islam: Thank you for being here today, and let me start the discussion today by asking you: What is cyber insurance? What does it cover, and why is it important?
Tyler Moore: So, , and so on.
When a firm experiences a cyber-attack, the costs can add up pretty quickly. These range from restoring data, rebuilding systems, to lost revenues caused by system outages, through to paying fines from regulators, or even defending against lawsuits. All of these costs are typically covered by cyber insurance policies. Somewhat controversially, many cyber insurance policies even cover the cost of ransoms paid to cybercriminals.
But beyond just making payments, insurers assemble a team of experts to help respond to cyber-attacks, including forensic specialists who investigate, lawyers who advise on notification requirements, and PR specialists to come up with a communication strategy.
Roumeen Islam: Oh, my goodness. So many different types of people are involved in this?
Tyler Moore: It’s a fairly complex process for sure. But ultimately, why we’re talking about this today and why I think But it’s not just that.
Because cyber is seen as a large and growing risk, there’s this great hope that the insurance industry can help tame this risk, since after all, they’re the experts in quantifying and managing risks. They could do this by pushing policyholders to improve their cybersecurity posture, and in a world where strong regulatory actions are not always politically feasible, turning to the private insurance industry could actually be quite attractive.
Roumeen Islam: I understand that this is a very complex industry, the cyber insurance industry, but
Daniel Woods: So, we’ve seen over the last few years that traditional insurance policies, those that might have existed, say 20, 30 years ago, increasingly exclude losses caused by cyber-attacks. And this leaves gaps in coverage.
For example, business owners might expect that a traditional business interruption policy will cover the lost revenues if a cyber-attack disrupts operations, but some of those policies – and this is actually increasing in prevalence – exclude losses caused by cyber-attacks.
Another way in which cyber insurance is different is that traditional insurers maybe have less expertise with the security industry, whereas cyber insurance specialists have built these relationships over time. That means they can put you in touch with the people to, say, respond to an incident, as Tyler mentioned earlier.
Roumeen Islam: I see. So cyber insurance can do all these wonderful things. So, is it a silver bullet? Can business leaders sleep soundly at night once they’ve taken out a cyber insurance policy? Who wants to take this, Daniel?
Daniel Woods: Yeah. Not quite. I think it’s important to know that there are gaps in what is covered by cyber insurance and also how much financial coverage there is.
For example, firms might suffer reputation damage following an incident, and this might impact the business on an ongoing basis. For example, firms could suffer reputation damage as consumers lose trust following an incident. And this could cause lost revenues on an ongoing basis. And this loss of reputation would not be covered by cyber insurance. Similarly, if you talk about the competitiveness lost due to stolen intellectual property.
The second aspect in which cyber insurance doesn’t cover the entirety of cyber risk is that coverage limits are fairly low for cyber insurance. And that’s especially true for large corporations.
This is because cyber insurers and also the reinsurers who insure the insurance are uncomfortable with the risk. And this means no single insurer is comfortable taking on a large amount of cyber coverage. So, the way the industry solves this problem is they build what is called a “tower policy.”
So, in a tower policy, the first insurer will agree to cover the first $25 million of coverage, the next insurer, the next $50 million, the third insurer, the next $100 million, and so on. And through kind of coordinating insurers, the industry has been able to build coverage with a total limit of $1 billion.
But even this may not be enough to cover the entirety of cyber losses that certain organizations face.
Roumeen Islam: Yes, of course, the losses can get very, very high. Now, could you say something about the status of the cyber insurance market worldwide? Do a lot of countries have active cyber insurance markets?
Tyler, do you want to take this?
Tyler Moore: Sure. So, the U.S. is a leader in cyber insurance, but the coverage is of global nature. You see it across many developed economies and Europe and Asia Pacific. It’s most wildly available in the places where there’s significant potential for claims. And so that’s going to be where the economies are most developed. Before ransomware became so prevalent, the most common type of insurable event was actually data breaches.
Let’s remember for a second who actually buys cyber insurance. It’s enterprises, not individual consumers. So, when you think about data breaches, they really become a problem for enterprises only in those jurisdictions, where there are laws that compel disclosure when a data breach occurs. And the U.S. was a pioneer in this respect; it was the first place where data breach notification legislation came around, beginning in California in 2002.
Now that the obligation to disclose when a data breach occurs has spread to other countries, you actually see a similar spread of cyber insurance coverage to those countries.
Roumeen Islam: I see, so there is legislation that increases the demand for it. That’s interesting.
Tyler Moore: Absolutely. And it sometimes works that way, but not always.
Cyber covers a lot of threats. So, when we look at a more recent topical threat, ransomware, that too has created demand for insurance cover, but it did not require a similar obligation from legislation.
Ransomware is different than, say, data breach notifications because there was no need for state legislators to come in and say you have to disclose when you experience ransomware.
It becomes pretty obvious when an organization has ransomware because their systems no longer work.
Roumeen Islam: So that’s the difference between the two. I was just about to ask you. Ok.
Tyler Moore: The difference between ransomware and data breaches is that when you lose personal data, and you’re a large corporation, and you lose a database of a hundred million customers, the cybercriminals might have access to it, but that’s not really something that they’re going to necessarily proclaim from the rooftops. And the company who lost it isn’t going to want to talk about it either. So that’s why we had legislation, which obligated those firms to disclose, which made the harm salient.
Now with ransomware, attackers come in, they encrypt all of the drives and systems of a company, and those systems just screech to a halt. And this is very observable. And so, there’s no need for legislation to come in and say, “you have to let consumers know this happened.” It becomes newsworthy on its own. And so, the insurers, now that companies are disclosing naturally when a ransomware attack happens, they can step in and actually provide coverage for it.
Roumeen Islam: What was that attack in Bangladesh at the Bangladesh central bank some years ago? Wasn’t that a ransomware attack or not?
Tyler Moore: No, that was a different kind of attack. This is what makes cyber so interesting and also what makes cyber insurance so difficult, is that there is such great variety in the types of threats. So, you have data breaches, you lose personal information, ransomware, they encrypt your systems and extort a ransom.
In the case of the attack on the central bank of Bangladesh, that was actually a compromise of that central bank so that they could issue fraudulent requests to the Federal Reserve Bank of New York through the swift network to essentially issue requests for payments to the criminals so that they actually extracted money from the accounts at the Bangladeshis account at the New York Fed and got money out that way.
It’s a whole new way. And so, if you’re an insurer, you think, “ok, there are so many possible threats, so many different ways in which we could have a claim for our customers” that you can see why they are resistant in having very large policies like Daniel was describing for their customers.
Roumeen Islam: And this market has been growing a lot recently, right?
Tyler Moore: Exactly. So, the cyber insurance market has been growing quite considerably in line with sort of the rise in the number of adverse advents that we’re reading about in the news. And so, it’s been growing 30% year on year since the mid-2010s.
And, actually, until a couple of years ago, at about 2018 or so, prices were actually falling in real terms because there was more competition among insurers to gain market share. And then ransomware really takes off all of a sudden, and all of these previously profitable lines are suddenly bleeding cash.
And so, as a result, what we see is that the insurance premiums, when enterprises are up, they go up by a lot, as much as 30% or more. And as a result, we also see some insurers who have decided this market just isn’t really worth it anymore, and they’ve dropped out completely
Roumeen Islam: Of course, and a lot of volatility like that can make a lot of firms drop out.
So, the demand for insurance increased because of regulation and because companies faced many more observable attacks. And what about supply, Daniel? Would you like to say something about this?
Daniel Woods: Yeah. So, over time, as Tyler said, more companies came in and began selling cyber insurance. And the reason they did that is they looked at the initial innovators who began selling insurance.
And what they realized is these companies were making a profit kind of hand over first. And especially when you compare that to saturated insurance lines, like, say, automobile insurance, where the kind of profit that insurers can extract is quite low in cyber insurance, it was much higher.
And this was partly because these insurers, they were innovating, and they could charge high prices because there was less competition. But then, over time, more insurers piled in, and in our paper, we show this kind of longitudinal view of prices, and they trend down since 2012. Then in 2018, the ransomware epidemic begins to bite, and then you see prices increase and insurers dropping out of the market.
Roumeen Islam: Yeah, it’s, I guess what Tyler was pointing to. Go ahead, Tyler.
Tyler Moore: And one thing I’d like to add here is that the biggest cyber risks that keep the C-suite up at night goes far beyond the events that are readily insurable. Now it’s true, no company wants to experience a data breach or be hit with ransomware, but there’s a concern that a catastrophic cyber-attack above and beyond could threaten the business with an attack that’s essentially unrecoverable.
So, think of an attack on a bank that fundamentally invalidates its accounting ledger. So, the customer balances are all wiped out, and all backups are corrupted. Or, say, a cyber-attack on an electric utility that triggers prolonged outages or cascading failures on the grid. These more catastrophic tail risks are hard to model precisely because the population of hypothetical cyber-attacks is practically infinite.
So, in the face of these hard to quantify risks, insurers are going to rationally limit the amount of coverage available, which in turn dampens the enthusiasm of firms who are going to turn to insurers to manage those tail risks in the first place.
Roumeen Islam: Yeah, that’s a difficult cycle.
Now let’s speak a bit more about the roles of cyber security versus cyber insurance for firms when they’re managing risk.
I mean, cyber insurance only matters when your cybersecurity measures fail. So, what’s their incentive to be tighter, better on cyber security versus taking out a cyber insurance policy.
Tyler Moore: Absolutely,
There’s also mitigation, avoidance, and acceptance. And when you look at most of the cybersecurity industry, they focus on avoidance and mitigation. So, avoidance comes in the form of policies against risky behaviors for going profitable ventures due to the risks that might be introduced.
Whereas mitigation is what the large and growing cybersecurity industry sells. It’s the technologies and services that are designed to minimize the risks associated with cyber-attacks.
But the fact is no matter how much a firm spends on those mitigation efforts, some risk will remain. So, it then becomes a firm decision whether they’re going to accept that risk or transfer part of, or all of it, through to insurers.
And so, I would say that firms have a reasonable incentive to transfer some of that remaining risk. Now there’s a limit, and that the cost of security controls that would mitigate risks often dwarf the insurance premiums. So, there’s a limited amount of control an insurer can sway by offering a discount for certain security controls that may not influence a firm’s decision as to whether or not they’re going to buy the cyber insurance or adopt a control, because the cost of adopting that control could be many orders of magnitude more than any reduction in premium that you might get for adopting that control.
Roumeen Islam: All right. So, there’s definitely an evolving cost-benefit calculation going on. What do you think that the role of government is in this market? Is there a role for the government, Daniel? Would you like to take that?
Daniel Woods: Yeah. The biggest question in cyber insurance policy right now is should insurers be able to indemnify ransomware payments? Right now, the government already influences negotiations and the decision to pay via financial sanctions.
So, for example, in the United States, the OFAC guidance basically describes to whom you’re allowed to make payments. And there’s a list of entities that you are not allowed to make payments to, and that includes some ransomware gangs.
Roumeen Islam: So, Daniel, could you just tell us what OFAC is? What does that stand for?
Daniel Woods: OFAC is the Office of Foreign Assets Control.
Roumeen Islam: Thank you.
Daniel Woods: So, there are also voices pushing for government policy to go further than this and to issue a blanket ban on insurers, paying ransoms.
The argument is that by paying ransoms, the gangs only invest more in expanding capabilities to infect more firms, and also, the next time they compromise a firm, they will demand even more of a ransom, a higher ransom. And this is known as “ransom inflation.” It is hoped that the ban would prevent this.
But insurers push back by arguing that in some ransomware incidents, paying the ransom could be the difference between the business surviving or not surviving. And we should note that in industry surveys, only less than half of ransoms are actually paid. Most firms they’ll recover from backups.
Roumeen Islam: Oh, so I didn’t know that actually. Now, what happens when they pay the ransom? What has the evidence shown? Does the attacker exit then? What happens?
Daniel Woods: This is a fascinating topic. You would kind of expect that this is a cybercriminal operating often in a foreign country. Why would they respect this contract?
But what happened is professional negotiators were brought in, often recommended and paid for by insurers, and over time, those ransomware negotiators have kept track of how often the cybercriminals honor that payment by giving back the decryption key. And what they find is that the rate at which this happened has actually gone up to over 99% of cases.
Roumeen Islam: That’s amazing. I would not have thought that, actually.
Daniel Woods: Yeah, and I think what’s really interesting here is, on the one hand, this seems great because the organizations get their key back. But then, on the other side, you’ve created these reliable relationships with cyber-criminals, and arguably that has helped make ransomware an even more viable business venture.
Roumeen Islam: Yes. I’m not sure what to say to that. Can the cycle be broken? But before we get there, I think Tyler, you wanted to say something.
Tyler Moore: The whole discussion about ransomware and what the government intervention should be, should there be one, is a fascinating and important one.
But I guess what I’d like to comment on is the broader question. I would say “absolutely.” And the reason why is that there are externalities everywhere you look in cybersecurity.
When a cyber-attack happens, the harms often go beyond the firm who is directly attacked. When hackers accessed the credit files of 145 million Americans when they breached Equifax, the harm went way beyond just Equifax itself. It created lasting harm to individuals who had no say over Equifax’s security practices.
When Colonial Pipeline shut down following the ransomware attack last spring, it created chaos across the U.S. Eastern seaboard by disrupting energy supply chains. There were people literally putting gasoline into plastic bags. That was caused by a ransomware attack. And these are negative externalities. The harm of this cyber-attack went far beyond the original target.
And whenever you have a negative externality, which is a class of market failure, this means that firms are likely to underinvest in the security required, compared to what would be best for society as a whole.
Roumeen Islam: That’s clear, yes.
Tyler Moore: It also means that they’re less likely to buy cyber insurance coverage than they should do since the cost of a catastrophic attack is borne not only by them. It’s borne by others as much or more than them.
Roumeen Islam: I’m getting the sense that you don’t have as much disclosure as one would like to have about what’s going on in the market. Then how do you get data? How do you learn about what’s happening and how to better prevent attacks?
So how limiting is the availability of data on attacks and the nature of the attacks to the development of the market?
Daniel Woods: Clearly, in any line of insurance, if you collect more data, you study it, you can price the risk better, identify which controls are effective to reduce risk. And these are great things. But there are some peculiarities of cybersecurity that actually make this really difficult in the actuarial context.
So, we could ask if historical cyber data is ever relevant due to dynamics in cybercrime and technology. For example, how much does data from 2010 help kind of to price risk when that was before ransomware was a widespread form of attack? You can also think about nonlinearities in technology. So, in 2016, two separate sets of academic researchers tried to predict the maximum size of data breach that’s possible.
So, these aren’t even fine-grained estimates. It’s just establishing an upper bound. One set estimated that there was a 10% chance of a breach of 200 million within three years. The other said that 200 million was the maximum size. In that very year, Yahoo announced a data breach of 3 billion records.
So, this is a whole order of magnitude bigger than the maximum upper bound that the researchers had tried to establish. If reinsurers made this kind of misestimate, the consequences could be billions of dollars.
Roumeen Islam: That’s clear. There’s a huge difference between 200 million and 3 billion. Tyler, you wanted to say something.
Tyler Moore: I see a few fundamental challenges with data in this space.
On the one hand, getting good data in cybersecurity has always been a challenge, as Daniel was saying because firms do not like to air their dirty laundry. So, for a long time, cybersecurity practitioners have wondered if insurers could be the solution to this problem because the core competency of insurers is to quantify and price risks.
But it really hasn’t worked out that way overall. Insurers can’t compel insurers to share their detailed information about the precautions they’ve taken, and they struggled to know which data would be most useful to them, even if they could ask. Moreover, the firms who experience cyber incidents might prefer not to file a claim if they’re unsure if doing so would mean that they could keep the incident hidden from view.
What we’ve seen – and I keep going back to this – is that data breach legislation forced firms to disclose. It actually helped create the workable market for cyber insurance against breaches of personal information. So, other threats like ransomware, again, they’re inherently observable by outsiders and produce readily quantified losses, like ransoms paid and business interruption.
So, a challenge arises in the case of cybersecurity threats, where the impact is less easily quantified, and this can happen. There is a potential breach of an enterprise, you may not know immediately what the extent of the harm is, and if time moves on, then maybe you can just hope that the effect is minimized.
Again, reputation damage is not insurable and in no small part because this harm is very difficult to quantify. So, if there was a way to reliably estimate what your reputation damage was, I’m sure insurers would offer that policy. But we just can’t do it that well.
Roumeen Islam: I suppose ex-post, you might be able to do it by seeing how many customers you lose.
Tyler Moore: You can, you absolutely can, although the question is how generalizable is that across parties? One last data challenge that’s specific to cyber insurance I want to mention is that most insurers do not share incident data with each other. And this suits the market leaders in this space just fine, the couple of firms at the top. But once you get further down beyond those leaders, there is a very real risk of not seeing enough variety in the types of cyber incidents and losses, so that it becomes very hard to accurately model.
And that is one final area in which I think some government coordination could be of assistance.
Roumeen Islam: So, let’s talk a bit about what happens if there are very large and correlated losses, large systemic losses. Can the cyber insurance market survive this?
Tyler Moore: I think this is the big open question. Most insurable cyber events so far have been relatively small and uncorrelated. Even what we think to be big, like ransomware, isn’t that huge in the grand scheme of things?
It is interesting because it grows from almost zero claims to being the dominant form of loss within a short time, but it’s essentially a manageable loss. There still remains, however, potential for much larger systemic losses arising from new attacks that dwarf anything we’ve seen so far.
For example, an attack that targets critical infrastructures that leads to prolonged outages at large portions of the world or that might cause irreparable physical damage to infrastructure that’s hard to replace. This could trigger much bigger losses.
And so now imagine that the attack targets all the systems running in all utilities across the globe. It’s not so farfetched given that they’re all running only a small number of types of code that have a lot of the same vulnerabilities.
And these kinds of risks are just going to be uninsurable, barring any kind of government backstop on these large losses. I think introducing a backstop introduces its own set of problems, though, because it’s going to encourage this risky behavior and lead firms to transfer their large cyber risks onto the government while at the same time cutting back their own investments and mitigation efforts.
Roumeen Islam: All I can say is that I hope that these new cybersecurity firms that are coming up get us better and better products at affordable rates that we can avoid these problems.
Tyler Moore: Unfortunately, there’s an information asymmetry at play there because it’s really hard for the buyers of these security products to know whether or not you’re getting the best outcome.
And so, I wouldn’t put all your faith in that because it’s not a perfectly working market, I’m afraid.
Roumeen Islam: Yeah, I have understood that I should put my faith in a number of things, spread it around so that I reduce my risks from focusing on just one thing.
Tyler Moore: Absolutely.
Roumeen Islam: So, what should listeners take away from this podcast then? I’d like to hear from both of you. Daniel, would you like to say something and then Tyler, please?
Daniel Woods: Now that’s unlikely to change for various reasons, and so cyber insurance will remain part of how firms manage risks.
One aspect of that I believe should be celebrated. And that is how cyber insurance has created these incident response teams who are engaged via a hotline that’s manned 24/7. And in particular, we should see this as insurance is setting up, essentially, this fire brigade of cybersecurity, but still, there’s a lot of work to be done.
Roumeen Islam: Ok. It’s a nice way of looking at it, the fire brigade. Tyler?
Tyler Moore: Thinking about what needs to be done, I think there’s still a lot of potential for insurers to make a positive difference because, despite the problems we outlined in this podcast, they have great potential in helping us better quantify risks and to help insured organizations prevent cyber-attacks from happening in the first place.
They can’t be the whole solution. We know about these market failures of externalities and information asymmetries, which mean that governments have a role to play. But I think done well, the cyber insurers can really help us make a difference in cybersecurity going forward.
Roumeen Islam: All right. Thank you very much to both of you.
Tyler Moore: Thank you.
Daniel Woods: Thank you.
*****
Roumeen Islam: Well, listeners, what have we learned today? Firstly, However, given the potential for losses to be quite large, insurers often provide tower insurance where a number of insurers cover a part of the risk.
Secondly, regulation can help to guide and bolster the market. For example, regulation requiring data breaches to be disclosed has enhanced the demand for cyber insurance and has also helped suppliers to get more information and data. Thirdly, before an attack, insurance providers can encourage firms to adopt higher levels of cybersecurity, but only up to a point, as costs of tighter security are also high.
Finally,
There’s definitely potential for cyber insurance markets and insurers to support tighter cybersecurity and improved market functioning. Thank you and bye for now.
If you’d like to suggest topics for the future, please email us at tellmehow@worldbank.org. We look forward to hearing from you.
RELATED
Tell Me How: Forging Cybersecurity Responses to the Menace of Cyberattacks
Tell Me How: Sharpening Policies for Better Cybersecurity Outcomes