Since the days of the Equifax breach back in 2017, you’d think that companies would have woken up, defenses would have gotten better and catastrophic breaches would start to be a thing of the past. Instead, they seem to be getting worse — spreading further, faster, and continuing to create chaos with material financial consequences.
Cyber risk isn’t news to any boardroom or business leader any longer. So why do breaches continue to proliferate? Have real levels of cyber risk been mitigated and gone down? Or has cyber insurance created a classic moral hazard problem?
Moral hazard is a concept that relates to gambling with other people’s money. When this happens, greater levels of risk are taken than when your own money is at stake. The financial crisis of 2008 and the Wall Street movie that followed in 2010 captured this when Gordon Gekko said, “somebody takes your money and he is not responsible for it.”
A classic moral hazard example is automobile insurance. Once insured, drivers have little incentive to drive more safely as the costs of an accident will be borne by a third party, i.e., the insurer.
Cyber insurance is a rapidly growing sector of the insurance industry and was a $3.15 billion U.S. market in 2019. It is estimated that it will be over $20 billion in 2025. While cyber premiums continue to rise, concerns about the risks being underwritten are growing.
Recently, New York’s regulator for the insurance industry, the Department of Financial Services, issued their Cyber Insurance Risk Framework. This guidance is for the insurers they regulate and addresses moral hazard head-on when they say:
“Insurers that don’t effectively measure the risk of their insureds also risk insuring organizations that use cyber insurance as a substitute for improving cybersecurity, and pass the cost of cyber incidents on to the insurer.”
Instead of doing the hard work of actually understanding and mitigating cybersecurity risk and the systemic risk that it breeds upon, NY DFS is saying that companies have simply passed on the liability to the insurers. Now, NY DFS is asking the insurers to understand these cyber risks better. This will force the companies they cyber insure to do the same.
This will significantly change the cyber insurance industry’s risk assessment processes and their premiums and coverage terms. Regarding systemic risk, their framework also addresses this when it says:
“As part of their cyber insurance risk strategy, insurers that offer cyber insurance should regularly evaluate systemic risk and plan for potential losses.”
So yes. Cyber insurance has increased cyber risk. At least according to the NY DFS. Insurers will be forcing their insureds to help them understand these issues before assuming these cyber liabilities.
The easy days of simply passing the cyber risk buck through insurance are over. Corporate boards, business leaders, and CISO’s will now be forced to do the hard work of understanding and reducing cyber and systemic risks before their insurers will underwrite them.
Once the insurers and the insureds have a better understanding of what they are and have been underwriting, this cyber risk enlightenment might just cause companies to realize that their best and most cost-effective cyber insurance policy is the work they do to reduce cyber risk. Only then will they see actual levels of cyber risk come down.
Source: Forbes
Share this article:
