We increasingly rely on digital for all matters of commerce. Whether we are buying tangible items or dealing exclusively in services, we expect risk-managed transfers of money, credit, communications, and control systems. And we rely on cyber insurance to indemnify gaps. But will we have standards & regulations in place to meet future business requirements?
Are we creating a farm, or a loose collection of silos?
A recent survey from the SANS Institute – which serves 165,000 information security (InfoSec) professionals with research, information sharing, training/certification, and problem-solving – suggests that there may be some misalignment among key players in cyber risk.
Earlier this year, SANS collaborated with Advisen to determine whether there were gaps in understanding the roles risk management and insurance play in relation to the actual risks Info-Sec personnel face.
SANS and Advisen conducted surveys of InfoSec and Insurance professionals respectively. The goal was very specific: “to provide a deeper understanding of the barriers encountered in establishing appropriate levels of cyber insurance coverage and the impact on the security posture of those organizations.”
Survey says ….
Communication is key to understanding the challenges associated with cyber insurance. Two key gaps exist:
- Between information security and enterprise risk management. Many organizations have been slow to include IT as part of the risk management process. Risk managers typically do not understand InfoSec, and senior security managers may not understand what insurance covers, its purpose or how it works.
- Between information security and the C-suite. Senior security management must play a key role in effectively communicating to the the status and potential impacts of threats, attacks, defensive technologies and risk-mitigation strategies C-suite.
Looking beyond the individual firm, the study found that the communication between companies and insurance professionals needs improvement. While internal InfoSec resources can identify risks with some certainty, the corporate risk manager has a much broader role:
This individual specializes in identifying any potential risks to the profitability or existence of an organization. The risk manager identifies and assesses potential causes of accidents or loss, recommends and implements preventive measures, and devises plans to minimize damage if things go wrong, including obtaining insurance coverage. Purchasing insurance transfers the risk of financial loss from the organization to the insurer in exchange for payment of a premium.
Can we all get together?
In the surveys, all of the players – InfoSec professionals, risk managers, brokers, and underwriters – underscored the need for a common cyber risk language. And there is a way to go. In the insurer/broker surveys, “only 19% of brokers and 30% of underwriters said there is a common language of cyber risk.”
The authors note that this is due, in part, to the “fast-growing and rapidly changing” environment of the risks. In addition, they note that cyber insurance is relatively new and growing rapidly.
Will Standards help?
Earlier this year, the Centre for Risk Studies at Cambridge University has published the Cyber Insurance Exposure Data Schema v1.0. The SANS authors applaud this development with one caveat: there were no InfoSec professionals involved.
The jury is out, but our past experience suggests that with multiple audiences, InfoSec, Risk Managers, insurers, brokers, and consumers (personal and commercial), there will be a long way to go.
How about regulation?
SANS suggests that there may be a role for government or other regulatory bodies to “set the basic floor by focusing on flexible standards that allow the cyber security and insurance markets to evolve, rather than legislating strict measures that can quickly become outmoded.”
We have seen a number of jurisdictions becoming aware of digital developments and have acted swiftly (e.g. telematics). However, this is not universal. Where cyber is very universal.
Regardless, we need to push forward…
The major risk here is not technical, it is broader, with real consequences. SANS sees the critical need for alignment to manage real risks as digital becomes a leading commercial channel:
While breaches of sensitive information capture current headlines, catastrophic possibilities loom as the Internet of Things (IoT) and interconnected control grids have now become a reality. Who is liable when a car or an airplane malfunctions because of defects in its software design? What happens when the energy grid is hacked and people die? What forms of insurance will or should respond? These may be the questions for the future, but the risk vocabulary, framework and investment elements must adapt now—and quickly—to these evolving threats.
What do you think?
Do you see an urgency here? Should the insurance community take a leadership role?
Editor’s Note: The 2017 Insurance-Canada Technology Conference and Broker Forum (#ICTC2017, #ICBF2017) will focus on the evolution of digital and InsurTech, including business risk, cyber insurance, distribution, and more. Details and registration here.