The future of cybersecurity might be insurance
For some time now, I’ve been considering a hypothesis that the future of cybersecurity is some form of vertically integrated set of products, services, and insurance. This won’t represent emerging or niche cybersecurity products and services, but will bring actuarial rigor to identification and measurement of the outcomes that cybersecurity vendors claim to provide, and so it will represent the subset of offerings that provide consistent, provable value (i.e., things that reliably mitigate high impact threats). The primary consumer benefit will be a faster path to implementation of a plenty good enough cybersecurity portfolio for a large percentage of organizations.
Enter the National Cybersecurity Strategy
With the release of the United States 2023 National Cybersecurity Strategy, there’s been much ado about this strategic objective:
STRATEGIC OBJECTIVE 3.6: EXPLORE A FEDERAL CYBER INSURANCE BACKSTOP
When catastrophic incidents occur, it is a government responsibility to stabilize the economy and provide certainty in uncertain times. In the event of a catastrophic cyber incident, the Federal Government could be called upon to stabilize the economy and aid recovery. Structuring that response before a catastrophic event occurs-rather than rushing to develop an aid package after the fact could provide certainty to markets and make the nation more resilient. The Administration will assess the need for and possible structures of a Federal insurance response to catastrophic cyber events that would support the existing cyber insurance market. In developing this assessment, the Administration will seek input from, and consult with, Congress, state regulators, and industry stakeholders.
Equally important is the drive to improve development practices by limiting the degree to which vendors can absolve themselves of liability: “Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,”
For those who have been following along at home, the Federal Government has been doing its homework and soliciting input on this for years. Notably, this research broadened with a call from the Government Accountabiliy Office in June 2022, urging that “Treasury and Homeland Security jointly assess if a federal response is needed to address the situation.” This was followed by a formal request for comment from the United States Treasury in 2022, titled “Potential Federal Insurance Response to Catastrophic Cyber Incidents”. So, the announcements in the National Cybersecurity Strategy are important but not surprising.
Back to private industry
The cyber insurance industry has swung like a pendulum within the last decade. What was once cheap and plentiful and underwritten with a low level of rigor has led to substantial losses, and relatively quickly become a web of sub-insurance requirements and narrowing coverage. So, there will be a lot of momentum and buzz about the prospect of the government stepping in to provide some stabilization. But there are also plenty of potential, or even likely, downsides including:
- Moral hazard - There’s been plenty of anecdotal correlation between the tightening market for cyber insurance and increased investment and attention on behalf of organizations in their cybersecurity posture. Knowing that the government will be there to bail them out—whether directly or through their insurers—may stymie this progress.
- Absence of catastrophic economic risk - Directly from Lawfare: “There is no evidence that firms are halting online economic activity because of either low cyber insurance limits or the introduction of new war clauses. It is simply unthinkable that retail firms would shut down websites and rely on brick and mortar stores because of changes in cyber insurance coverage. The impact of the digital age—and reliance on the internet—is simply too strong.”
There’s plenty more to be considered. But the sheer magnitude and complexity of the economics of cybercrime, in particular how we insure against losses, and the expansive but not yet outcome-bound cybersecurity solution landscape, are all great indicators of opportunity. A marketplace for offerings with tightly aligned incentives will advance both the insurance and cybersecurity industries in a meaningful way, raising the standards of cybersecurity posture at-large, in turn alleviating some of this public and private market pressure.