Companies will no longer be able to hide behind their cyber insurance.
getty
From the recent SolarWinds crash to the Microsoft Exchange server crash, 2021 is already shaping up to be a special year in cybersecurity.
From the days of the Equifax bankruptcy back in 2017, you’d think companies would have woken up, defenses would have improved and catastrophic bankruptcy would start out as a thing of the past. Instead, they seem to be getting worse – spreading longer, faster, and continuing to create chaos with a substantial financial impact.
Cyber threat is no longer news to a boardroom or business leader. So why a break-in? Have real levels of cyber risk been mitigated and reduced? Or has cyber insurance created a classic moral risk problem?
Moral risk is a concept that is associated with gambling with other people’s money. When this happens, greater levels of risk are taken than when your own money is involved. The 2008 financial crisis and the 2010 Wall Street film that caught on when Gordon Gekko said, “Someone is taking your money and they’re not responsible.”
An example of a classic moral hazard is car insurance. Once they have insurance, drivers have little incentive to drive safer as accident costs come with a third party, i.e., the insurer.
Cyber insurance is a fast-growing sector of the insurance industry and was a $ 3.15 billion U.S. market in 2019. It is projected to exceed $ 20 billion by 2025. While prices As cybersecurity continues to rise, concerns about the risks of subscription continue to grow.
The New York regulator for the insurance industry, Department of Financial Services, recently released the Cyber Insurance Risk Framework. This guide is for the insurers they manage and deal with moral risk when they say:
“Insurers that do not effectively measure the risk of their insurers are also at risk to insurance companies that use cyber insurance instead of developing cyber security, and incur a cost. cyber events forwarded to the insurer. ”
Instead of doing the hard work in understanding and mitigating the risk of cybersecurity and the systemic risk it generates, NY DFS says companies have just taken responsibility for insurers. Now, NY DFS is urging insurers to better understand these cyber threats. This will force the companies they insure to do the same.
This will dramatically change the risk assessment processes of the cyber insurance industry and their prices and coverage conditions. In terms of systemic risk, their framework also addresses this where it states:
“As part of their cyber insurance risk strategy, insurers offering cyber insurance should regularly assess systemic risk and plan for potential losses.”
So yes. Cyber insurance has increased cyber risk. At least according to DFS NY. Insurers require their insurers to help them understand these issues before assuming these cyber responsibilities.
The easy days of passing the cyber threat buck through insurance are over. Corporate boards, business leaders, and CISOs now need to work hard to understand and mitigate cyber and systemic risks before their insurers write them down.
Once insurers and insurers have a better understanding of what they are and have subscribed to, this cyber risk clarification may lead companies to realize that the best and most cost effective cyber insurance policy the work they do to reduce cyber risk. Only then will they see real levels of cyber threat come down.