Is cyber risk uninsurable?
Only if you don't know what you are doing.
“What will become uninsurable is going to be cyber,” recently said Mario Greco, the CEO of the insurer Zurich.
“First off,” he continued, “there must be a perception that this is not just data…this is about civilization…[Cyber attacks]…can severely disrupt our lives.”
Greco also called on governments to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks.”
These are very interesting statements coming from the head of a major insurance company. And they look like either a warning shot that some (or most) firms may stop offering policies covering cyber risk, a plea for a government pre-bailout of the insurance industry, or both.
These comments also come on the heels of an announcement earlier this year by Lloyd’s of London that it would be “excluding liability for losses arising from any state backed cyber-attack” meeting certain conditions. I view this move as another incremental step toward not covering the damage from any cyber attacks, a process which can be accelerated by increasingly identifying them as state-backed.
Thus, it might be possible Greco is merely acting in a semi-coordinated manner with his industry peers. And also that he doesn’t necessarily believe everything he says.
In any case, I think it’s worth analyzing some of the things Greco stated or implied. That is because several of them are paradoxical or just wrong.
First of all, he creates an odd dichotomy between “just data” and threats to “civilization.” The apparent implication here is that a data breach is a different order of magnitude than an event that cripples critical infrastructure. This I understand (and think pretty much everyone else in the industry does too). But it also reveals a lack of understanding about the mechanism that would cause the latter. It is by impacting the confidentiality, integrity, or availability (primarily the last two) of data that attackers disrupt critical processes. So incidents in which an attacker steals credit card number and shuts down an oil pipeline with ransomware are different in degree but not kind.
He also implies the risks from earthquakes cannot be quantified in a predictable way. This is an obviously incorrect statement and there are highly and long-existing developed methods for forecasting earthquake frequency and the damage they cause. There are even tools emerging to predict when and where earthquakes will occur.
Finally, Greco also suggest that governments should backstop private insurers due to the allegedly unquantifiable nature of systemic risks. If this is the case, how much money should government set aside? $1 billion a year? $100 billion? $10 trillion? If a risk cannot be quantified by the private sector, how will the government do any better and figure out how much to set aside? This suggestion makes no sense. And implementing it would create a moral hazard by letting insurers know they could receive a (to be determined!) government bailout if they scream loudly enough.
The core of his statement, however, is the most important thing to address: he implies that there is no way to insure against systemic cyber risk.
With the current state of the cybersecurity industry, this may be practically true, so I can understand why Greco might honestly have this opinion. Consider that:
Vast swaths of practitioners are ignorant of or actively hostile to quantitative risk management practices;
Much cyber insurance underwriting involves only sending basic questionnaires to customers; and
The U.S. federal government has never publicly provided any quantitative risk scale for rating cyber events.
But there is no reason this is necessarily true.
Thanks for reading Deploying Securely! Subscribe to receive new posts.
Forecasting the likelihood and impact of cyber loss events can be done. It will require more sophisticated methods than are currently in place but it is feasible.
And transference is a legitimate strategy for organizations managing cyber risk. It allows many to cost-effectively address potential loss events that might otherwise end their business.
So if the major players don’t want to write cyber insurance policies, that’s fine. But the government shouldn’t pick up the slack. And there will be new market entrants perfectly willing to try their hand at this allegedly unwinnable game.
I hope that you find Deploying Securely useful. If so, here are some more resources that can help:
1. My free, risk-based vulnerability management (VM) email course. Use it to build the foundation for a quantitative VM program in 5 days.
2. The Deploy Securely VM SOP. A template for running a program developed from years of real-world experience, it will save you huge amounts of time and effort.
3. Book a coaching call with me to get immediate assistance in building your security program.