Is the insurance industry about to disrupt enterprise cybersecurity?

Almost six years ago in the summer of 2013 something unusual happened. An invitation went out to the insurance industry to come to Washington, DC for a roundtable discussion with cybersecurity leaders within the Obama administration, the Department of Homeland Security and the National Institute of Standards and Technology or NIST. At that time what came to be known as the NIST Cyber Security Framework, an easy to understand roadmap for enterprises to improve their cyber risk posture, was in its draft stages and the government wanted leading insurers and brokers to opine.

For those of us privileged enough to attend, this meeting was significant as many of us began to understand that the insurance industry had a public policy role to play beyond financial loss indemnity and recovery. There was a consensus at that time that imposing stringent regulation to solve this problem was the wrong approach. Technology evolves fast and regulatory requirements would be outdated almost as soon as they were implemented.

Indeed that explained why NIST had devised a “Framework” rather than a “Standard.” A better approach would be to promote market-based incentives and who better than the insurance industry to do so. After all, in other more mature risk classes insurers typically would provide more competitive premium or lower deductibles for installing a sprinkler system to your building or an intruder alarm to your home. So why not for better cybersecurity?

It isn’t that simple of course. Although government engagement was clearly welcomed there was one significant problem. “Data”, or rather a lack of it. Insurers acknowledged that pricing was market driven and without better access and understanding of risk data they were unable to price risk accurately. If they could not price risk accurately then they could not be expected to provide incentives to their customers. In the years that followed government took the lead through DHS in establishing a means to share risk data between the public and private sector and between the private sector itself.  Sadly progress was slow going but there may be a sign that change is finally afoot and it could be significant.

On March 26th, an article in the Wall Street Journal announced that Marsh & McLennan Companies, the world’s largest insurance broker, had launched Cyber Catalyst. Marsh would collate scores from leading insurers regarding the effectiveness of cybersecurity products in combating attacks. Although short on details about how this evaluation is actually made one sentence stands out from the article in particular “Corporate policyholders that use the designated offerings may qualify for improved terms and conditions on policies negotiated individually with participating insurers.” In other words, insurers would incentivize Marsh’s clients to use specific products presumably based on incident data that they see in their risk portfolio.

“Is the way enterprises approach cybersecurity about to change? Will organizations, incentivized by ROI for their insurance program, increasingly look to their insurers to manage risk rather than the cybersecurity industry?”

The insurance market for any new and emerging risk will always be somewhat dysfunctional as loss experience is limited at the outset. This is especially true of cyber that is not only dynamic, through ever-changing threat vectors and technology, but also how interconnected it is between enterprises. However, does the recent Marsh announcement signify that the way enterprises approach cybersecurity is about to change, and that organizations, incentivized by ROI for their insurance program, will increasingly look to their insurers to manage risk rather than the cybersecurity industry?

If you believe that we have genuinely shifted from prevention to a resilience mindset where compromise is expected then insurance clearly has more relevance. Food for thought.