In my last blog, I discussed the emergence of cyber security insurance to address the growing threat of data security breaches. As cyber security insurance becomes more common, I think it’s important for us to consider the impact of this new development, because it’s likely to have far-reaching consequences in the near future. Let’s consider these consequences, drawing on a bit of insurance history.
Two hundred and fifty years ago, insurance companies refused to insure houses that were considered fire hazards. They developed criteria for assessing fire hazards, charged higher premiums for riskier dwellings, and they developed safety standards that were eventually adopted in building codes and zoning laws. If I draw a parallel to cyber security insurance, I foresee an IT security world that includes:
- Regular security audits by insurers – In order to determine the risk levels of clients, insurers will conduct assessments of their clients’ IT security operations.
- Price incentives – Based on risk assessments, insurance companies will charge higher premiums to companies they see as more risky. (This is already happening today to companies in high-risk industries like retail or to companies with a history of data breaches.)
- Conditional coverage – Based on risk assessments, insurance companies may deny insurance to companies that do not meet their standards.
- Mandated security standards – Over time, the cyber security standards developed and used by insurers may be adopted into state and federal law.
Now for the fun part of the discussion! Are these changes a good thing or a bad thing for most organizations?
Broadly speaking, the following developments seem positive:
- Greater executive awareness and focus – Recognition of the severity of cyber security risk at the board room level should make it easier for IT departments to gain approval for needed security initiatives.
- New financial incentive for organizations to improve IT security – They can obtain better insurance coverage at lower rates.
- Better security standards – The work done by insurance companies could help to define security standards and best practices across industries.
But there are also some potential negative consequences:
- Relaxation of security efforts – It’s possible that some organizations will feel a false sense of security from cyber insurance and seek to reduce investments in security products, policies, and processes.
- Increased burden of legislation – Most lawmakers are not security experts and don’t understand all the nuances of IT security, so we may see new and costly security mandates that don’t effectively address risk.
- Setting the bar too low – Unless security assessments by insurers are thorough, organizations may do only enough to pass audits than and fail to address broader security requirements.
- Smaller companies placed at a disadvantage – Small-to-medium businesses may not have the budgets to afford expensive cyber insurance and/or the increased security budgets needed to pass insurers’ assessments. And not having cyber security insurance may place them at a disadvantage vs. larger competitors.
Final Thoughts: It’s high time we bring risk management discipline to IT
In my experience, most IT organizations approach security as a technology initiative, without much consideration of business risk. In fact, many companies don’t quantify their cyber-specific legal and regulatory exposures, or the potential costs of response, liabilities, and longer term damages to brand and reputation. I think all companies will benefit from more discipline and more “science” around determining cyber security risk and how to better address it. The world will also benefit from increased data sharing and research on cyber attacks and their impact, allowing us to more easily learn from the experience of others. We might even improve our success rate in finding and stopping cyber criminals.
What do you think?