As data breaches and hacking schemes accumulate, US companies are bombarded with Armageddon scenarios.
They are urged to model and insure against more and more complex data losses. The latest is today’s news that Russian hackers have attacked J.P. Morgan Chase and four other banks. The Federal Bureau of Investigation is trying to determine if Russia is behind the cyber attack in retaliation for sanctions led by the US.
An increasing number of attacks has created demand for comprehensive cyber-insurance products, and for insurance companies willing to commit capital to the risk of catastrophic cyber losses. Insurance companies have hurried to meet this demand.
There is evidence, however, that what insurance markets regard as a catastrophic cyber loss may actually be a warm-up for the main event. Warnings of a cyber attack that shuts down not just a major retailer but whole industries have moved out of the realm of security experts. Recently, the federal government and some of the biggest companies in the nation have begun working in concert to identify, measure and protect against the mega-cyber loss — the one so big that it impacts national security and causes the stock market to falter.
The risk of bad underwriting: Past insurance gold rushes have ended badly for underwriters who sold policies aggressively to get premiums in the door, ignoring their risk modelers and the inevitability of losses from cyclical perils. Businesses need to consider whether this pattern might repeat itself in the cyber-risk realm. What if the risk of a massive cyber assault cannot be effectively modeled based on existing data? What if insurance companies are competing for cyber-insurance premiums more or less blindly?
In the wake of a huge natural disaster, property insurance companies often withdraw from writing property policies — or threaten to withdraw in an effort to gain government aid. For example, following Hurricane Katrina in 2005, State Farm withdrew from writing commercial and homeowners policies in Mississippi, citing the state’s “current legal and political environment.” That was an admission that these insurance companies incorrectly modeled risk, failed to mitigate risk through diversification or transfer to reinsurers, or did not heed their own risk modeling in pricing policies.
Wanted: better data security standards: Effective underwriting and pricing of the risk of a catastrophic cyber attack is elusive because there are no agreed-upon data-security standards guiding companies in their preparation for the Big One, to which insurance underwriters can refer in evaluating risk and pricing policies. Although the NIST Framework for Improving Critical Infrastructure Cybersecurity uses risk-management processes to enable organizations to inform and prioritize decisions regarding cybersecurity, it does not establish security guidelines.
If Congress were more effective at bipartisan problem-solving, it would appoint a special commission to hear evidence from security experts, risk managers and insurance underwriters to generate a set of best practices for measuring and protecting against the risk of a catastrophic cyber attack affecting critical infrastructure. But such concerted government action seems Utopian today.
The worst-case scenario, when the Big One happens, is that insurance companies will disengage from their corporate policyholders just as the wave of catastrophic claims breaks over insurance markets. When this catastrophe occurs, policyholders and their insurance companies must re-engage at a deeper level, to work through the aftermath of a disaster. But this kind of re-engagement is unlikely to happen absent better underwriting and pricing of cyber insurance, coupled with the best possible policy forms that minimize insurance companies’ ability to raise technical-coverage defenses.
Without these important controls, it will be difficult for corporate policyholders to remain confident that when the inevitable mega-cyber attack happens, the insurance industry will be ready for it — and willing to pay what undoubtedly will be enormous claims.
Multi-tiered risk management: Given the uncertainties of risk transfer, what’s a prudent company to do? Step one for avoiding an uninsured catastrophe is to beat cyber criminals at their own game through better data security. Yet experts constantly warn that no security protocols are sure to fend off a determined hacker. It may be naïve to rely solely upon good security in this threat environment.
The ultimate form of self-reliance against an uninsured or ineffectively insured cyberattack would be self-insurance, in which alternative vehicles such as captive insurance companies are used to dilute exposure. (Captive insurance companies are subsidiaries of non-insurance firms created to help protect their parent organizations against risk.) Those methods of transferring risk may be limited by the same capacity barriers found in standard insurance markets, although reinsuring a cyber-loss exposure covered by a captive might offer better risk-spreading opportunities.
Given the limitations of any one tool, the presence of disastrous cyber risk requires a multi-tiered strategy to mitigate and spread it. That is, a combination of vigilant security, alternative insurance vehicles and use of the many cyber-insurance products available to transfer this kind of risk away from its balance sheet. Plus, awareness that many of the more traditional lines of insurance, such as crime or general liability, may respond to at least a portion of the claim.
A truly prepared company will have coordinated these measures at the executive-suite level, with a clear vision of the scope of the risk. The need for the attention of a company’s senior management and board has never been more urgent.
This story first appeared in MarketWatch
