WASHINGTON — Companies have figured out how to limit exposure to the risks of fire and liability by buying insurance, and now, they’re starting to look at whether they might similarly protect themselves from cyberattacks.
The problem is that no one knows how to quantify the risk of cyberattack, and how much the attacks really cost.
“This is a numbers game, but for the insurance folks to do their work, you need to know what the rate of accidents are,” said Larry Castro, managing director at the Chertoff Group and a longtime official at the US National Security Agency.
“Within our country, there is no commonly accepted database that would give you that actuarial information that would allow folks to come up with underwriting schemes that would account for the risk, and still make this a profitable venture for the insurance folks,” he said.
Jeff Schmidt, speaking as part of a panel with Castro at an event hosted by the Atlantic Council in October, described part of the problem as the newness of cybersecurity.
“Information security is a very young science,” said Schmidt, who runs JAS Global Advisors. “The metrics don’t exist, the models don’t exist, the valuations don’t exist.
Typically when you have a risk, you identify your risk, you mitigate it to an acceptable level, and you either choose to accept or transfer the rest,” he said. “But we’re not there yet in information security. The valuation models don’t exist, the insurance products don’t exist.”
Ideally, companies would be able to get insurance with premiums partially based on the level of cybersecurity they have in place. But thus far, that hasn’t happened, which helps reinforce the secrecy around disclosing incidents because the companies aren’t protected.
There is one notable exception to that rule: stolen records. Roughly three-quarters of existing insurance related to cyber is connected to protection based on records theft.
Part of the reason for the ability to insure this type of event is the clear dividing lines on what has been stolen, but there’s also the fact that some states have put a specific price per record on the theft of consumer data.
“The reason we have that is not just because a data breach is a discrete event, but there are laws in America that say that if you have one, you have to incur cost,” said Allan Friedman, a fellow at the Brookings Institution, a Washington think tank.
“That is what drives a financial market,” he said. “You have a government that creates particular options, and then the private sector’s actually involved to figure out whether to mitigate that risk or transfer it.”
Despite the difficulty in defining the cost and risk of insurance, there’s interest and developing science, experts say. It’s not unimaginable that soon, companies will be able to buy financial protection from attacks just as they can buy software protection, and it might mean they can be more open about the attacks they face.
That in turn could help researchers better defend companies, driving risk down and lowering the insurance costs, creating a cycle of diminishing risk.