The U.S cyber risk insurance market has been growing over the years as small, medium, and multi-billion dollar firms – including financial institutions – consider insurance coverage a strategic tool in mitigating the loss and liability associated with successful cyber-attack and data breach. According to a study report, The cyber security insurance market was valued at about 5 billion USD in 2018, and it is expected to reach almost $21 billion USD by 2024. The reason for these numbers is not far-fetched; computer data breach and loss has been on the rise which in turn drives the need for liability off set.
However, there would always be a number of questions to be answered, and some factors to be ascertained in order to evaluate whether buying an insurance policy will be an effective tool to mitigating cyber-attack liability by a would-be insured organization. The question in my mind remains; how can we develop a strong cybersecurity insurance policy framework that would stand the test of time and the evolution of cybersecurity threats?
In my opinion, I think that a silver bullet approach cannot be suggested since there are multiple stakeholders and a high vulnerability in the financial institutions´ cyber-space and cyber-operations. Rather, I propose a multi-stakeholder approach, or shattered-bullet approach. By that, financial institutions; cybersecurity insurance providers, government; and academic professionals should collectively develop and implement a framework tool. The strategy for developing this framework could be focused on three major headings namely information sharing; regulations and standards, and academic research.
Information sharing
A concentric platform should be instituted to promote information sharing between financial institutions, the government, and cyber risk insurance companies. To make my proposal simple and comprehensible, I highlight the vital areas below where information need to be shared.
- Standards, common language, and best practices: For example, insurance companies can publish methods for cyber risk assessment, and schemes to classifying cyber related loss events. This can ease communication and understanding between stakeholders.
- Risk management approaches for critical crisis: Financial institutions are encouraged to share their risk governance and management approaches with other players in the industry. I understand that it might not be visible for financial companies to share such proprietary skills with competitors. However, they should be able to share same with insurance companies who can then compare same with the approaches other institutions adopt. In so doing, the insurance company can provide an independent and fair advice based on their judgement on the outcome of such approach.
- Technical development: Financial institutions should invest in their technical departments by ensuring they keep up to date on technological developments. The technical department should be continuously aware of what architectural IT improvements can increase resilience to imminent cyber risk.
Government regulations and reporting standards.
At the federal level, government should enact regulations and standards that will promote and encourage information sharing among financial institutions, and insurance companies, and between financial and insurance institutions. This might promote the information sharing approach highlighted above. At the time of this article, we have the Insurance Data Security Law passed by the National Association of Insurance Commissioners (NAIC). The purpose of which is to establish standards for data security; investigation, and notification; to the Commissioner of a cybersecurity event by licensees (insurance providers). NAIC in the country’s standard setting and regulatory support body created and governed by the chief insurance regulators from all the 50 states, the District of Columbia, and all 5 U.S territories. Even with such broad governance boundary, only 7 states have adopted the Insurance Data Security Law.
The U.S government can focus attention on the financial industry by redefining minimum standards as they relate to traditional insurance. Cyber risk faced by financial institutions is way beyond those faced by other industries. Therefore, they shouldn’t be subject to the same definition for minimum standards. By so doing, there would be a reduction in moral hazards which is a one of the challenges to cyber risk insurability.
Academic research
I found that academic research on the supply and demand sides of insurability are unequal. Majority researches focus on what can be done, or what is being done by insurance companies (the supplier). Whereas, little attention has been focused on what financial institutions need to do as regards making sure they are making optimum benefits of cyber risk insurance as a tool for cyber threat mitigation. I subscribe to the encouragement of two distinct research focuses in this area. Cyber risk and cyber risk insurance must be addresses from an economic point of view. As such, more research should be done from a cost-benefit point of view. The other research aspect should focus on the collective roles that can be played from the supply and demand end. Partaking in such research will aid the proposed solution on information sharing mentioned above.
Conclusion
The insurance market is small at the moment compared to its potential growth in the coming years. The financial industry faces a high cyber risk vulnerability because of how it delivers service to customers, and the multiply parties that have to share the financial records of such customers. There are various weak spots that cyber-criminals can penetrate to successfully breach confidential data. The loss financial institutions incur is enormous and could be direct or indirect. Financial institutions need to development a sustainable litigation strategy to keep loss, and risk manageable. Cyber risk insurance, albeit with some inherent limitations, could be a strong and sufficient mitigation tool for vulnerable companies in the financial sector. To make this a reality, the factors and strategies highlighted above should be implemented.