Saturday, January 07, 2017

Spend money on Insurance or Insights?

A colleague recently circulated a link to a report that claims that the cyber insurance market is going to top $14B by 2022. My rather glib response at the time was something to the effect of, “if cyber insurance policies are still a thing by then.” When pressed for an explanation, I gave the following analogy:

If I get supplemental life insurance I tell the agent that I'm so tall, weigh so much, don't smoke, don't drink, don't participate in high-risk activities, etc. He gives me a quote. Then he sends a nurse is to my house. She determines that I'm not quite that tall, I'm certainly not that thin, the house smells of Borkum Riff, the recycling container is overflowing with empty bottles of Jack, and the walls are covered with pictures of me skydiving, BASE jumping, and running with the bulls. Oh, she also takes my blood pressure, draws blood, and takes an EKG. 

A few days later the agent calls me back and says, “Yeah, that quote I gave you, it’s going to be a bit higher and the coverage, a bit lower.” I don't want my wife and kids to starve if I get hit by a bus so I sign and I pay.

Cyber insurance providers don’t send a nurse to your house. Some carriers make an effort to understand your IT enterprise and others basically take your word for it. In both cases, they ask you to pay A LOT of money in premiums for not a lot of coverage. The way most enterprises of any size operate, it is very easy to get out of compliance with your policy, which means the probability your claim will be denied in the wake of a hack is very close to 1.

Even if your claim isn’t denied outright, there is undoubtedly a cap on your coverage, which means that you’ll still have considerable out-of-pocket costs even if insurance pays out. In high-risk cases, you’ll end up paying first before insurance pays outOut-of-pocket doesn’t mean pocket change either. If insurers are forced to pay out too much, they’ll just stop writing new policies and cancel existing ones. Does no one remember when cyber insurance was a thing 5-6 years ago? You don’t? It was, they lost money, and they stopped doing it. The past is almost assuredly prologue.

You’re CEO of a company in an industry that is at high-risk for cyber-attacks. You could spend several hundred thousand dollars a year on insurance premiums or you could increase the budget of your cyber security team. Which do you choose?

I would argue that in fact you have a third choice: pretend there is a nurse at your house.

Spending a little time and money to assess your true digital health would be exceedingly enlightening. To paraphrase former Secretary of Defense Donald Rumsfeld, you don’t know what you don’t know when it comes to existing and potential liabilities. With this information in hand you have a much better idea of where to spend your limited security dollars to reduce risk, mitigate threats, and identify where insurance actually makes sense and how much. 

I would also argue that you can take things one step further my looking at the data and findings of your existing security testing regime and determine cyber security spending ROI, which would further reduce your exposure. For example, if you regularly conduct pen tests make sure they tell you what they tried that didn’t work (you’re spending enough money/have the right defense there).

Insurance is one tool of many that every enterprise should use to fulfill its risk assessment and reduction responsibilities. But corporate leadership also needs to appreciate that they can do a lot themselves, relatively cheaply, with the same insights that a nurse acquires when she uncovers difference between your image of your enterprise and reality.