You’ve heard it before: The cybersecurity world has a problem, or the world has a cybersecurity problem. From the Target and Sony hacks to the Office of Personnel Management breach that compromised data on up to 25 million Americans earlier this year, attacks on both public and private networks have been on the rise in the last several years. Congress, the private sector, and the security research community are trying to find a solution, but, with all due respect, some people are just flat-out missing the proverbial rub.
Much of the debate around cybersecurity, particularly in Congress, would lead you to believe that we face technical challenges that are nearly insurmountable, and that our best bet is to institute some form of better information sharing between the government and the private sector to come up with better guidelines for software vulnerability disclosure.
These solutions, if crafted carefully, do have potential. They do not, however, address the real problem.
A report from Verizon earlier this year illuminates the alarming fact that 99.9 percent of cyber incidents involve known, and often patchable, software vulnerabilities. If we know what the problem is, what are the cyber-baddies really exploiting?
Despite the narrative, the crux of our current cyber problem is largely not technical at all, but instead comes down to organizational behavior. Bad security practices and poor investment in OPM’s IT security are largely culpable for that hack, and Sony was compromised via basic social engineering. The humans were the weaknesses in the system that the bad guys sought to exploit. These are the vulnerabilities that are in the most urgent need of patching.
There are several ways that a free market behavior can influence a human behavior to offset these human vulnerabilities: through legislation (including the tax code), regulation, and, in concert with or in lieu of the others, insurance premiums. Legislation and regulation are cumbersome and, once written, slow to change, which is not ideal in an environment as dynamic as cyberspace, where the cutting edge can quickly become obsolete. Lawsuits are on the rise, but are also a slow lever for change. The final option is a thriving insurance marketplace.
In practice, insurance companies act as regulatory bodies, mandating security standards and behaviors that, if left uncorrected, can void coverage. The problem at this point in time is not coming up with standards and practices, which already exist, but ensuring that they are followed. At the moment, they are not. Widespread insurance coverage could change that, but the market is immature and we’re just not there yet.
Why not? What is stopping a thriving cyber insurance marketplace from emerging? As New America Cybersecurity Fellow Harvey Rishikof’s upcoming white paper will show, the problem is not a lack of demand. Companies that rely on computer networks and the Internet are chomping at the bit for a better way to manage and diffuse their risk from connectivity. Instead, the problem is on the supply side, on the part of insurance companies, which have yet to overcome apprehension over what a breach might mean.
The 2011 breach of Sony’s PlayStation data was a rude awakening for the insurance industry. Zurich, the company that covered Sony under a run-of-the-mill commercial liability policy, argued the firm’s claim was invalid as the coverage didn’t include cybersecurity incidents. In 2014, a New York court agreed with Zurich, ruling that the general coverage did not actually cover Sony’s data breach and setting an unfavorable precedent for other companies seeking payouts under similar plans. If general liability insurance won’t cover data breaches, but demand for coverage is still there, what should follow is meticulously-crafted, cyber-specific insurance products. And yet, the marketplace for comprehensive coverage is fledgling at best.
What, then, can be done to get this market going? Congress can pursue smart legislation to inject more life into the marketplace. New America Cybersecurity Fellow Elana Broitman outlines three specific measures that Congress could take in her recent paper. First, they can ensure that “there are appropriate and sufficient resources for the resource and development, testing, and aggregating and publishing of data” through smart appropriations. Second, they can pass amendments to the Support Anti-terrorism by Fostering Effective Technologies Act that are better tailored to cybersecurity, and offer a “federal certification based on the nature of the attack and the scale and type of damage.” Finally, they can create a cyber version of the Terrorism Risk Insurance Act, which would encourage the expansion of coverage to cover state-sponsored or terrorist attacks.
The goal all of this legislation would be to incentivize insurers to design new and more effective products. The problem right now is that insurers aren’t sure about the risk they’re taking on. The source of this uncertainty is that risk assessment and actuarial practices haven’t caught up with demand, and firms’ assessment practices have not yet reached a maturity level consummate with the insurance industry’s standards. No government incentive short of sharing the liability with the insurance industry is likely to heighten interest in the face of such uncertainty. While some cyber coverage does exist, it is inadequate, and there have been some knee-jerk reactions to roll it back further.
What the insurance industry needs, then, is a better understanding of the risk they assume. As New America Cybersecurity Fellow Trey Herr argues in an upcoming paper, risk assessment for insurance is still working off of outmoded assumptions that don’t take into account the intentions and capabilities of groups launching attacks. Add to this the disagreements about what the consequences of an attack might be and how to measure insurance customers’ vulnerability to an incident, and you have a recipe for trepidation from the insurance industry. The dynamism of both threats, which adapt constantly to the defenses in cyberspace, and vulnerabilities, which change with new soft- and hardware and defensive technologies, pose challenges to the traditional actuarial risk assessment and management paradigm. In absence of good historical data, building in better assumptions and focusing analysis on the key drivers of risk in cybersecurity could make for effective risk assessment and a healthier insurance marketplace.
If insurance firms can better grasp the risks associated with expanded coverage, they will then attempt to minimize the risk they take on—and they are historically adept at doing so by mandating certain behaviors of their clients. An insurance market might be able to encourage widespread adoption of the sort of best practices, like more and better encryption, which remain legal but controversial to some. Even simpler standards like good patch management could be adopted more rapidly. And once the lower-hanging fruit of human vulnerability is addressed, insurance companies could move on to risk mitigation by working with soft- and hardware vendors to address technical vulnerabilities.
That’s the discussion we need to be having, which is why, on October 26th, at New York University, Trey, Elana, Harvey, and I will join a group of experts to discuss the promise and practice of cybersecurity. Insurance will not fix America’s cybersecurity problem overnight, but it is one step in a series to bring us closer to a more secure cyberspace. At the very least, in focusing on it, we will have made an important admission: The fault lies not in our cyber, but in ourselves.