Insurance Companies Will Shape the Future of Cyber Security

For too long, vendors have capitalized on industry fear of breaches to sell confusing products that may or may not provide value. But fanning the flames of cyber hysteria has started to backfire.

Companies now consider potential losses from a cyber breach as a cost of doing business. CFOs are even factoring potential losses into financial projections. Rather than increasing spending on what appears to be a lost cause, more and more organizations are simply buying cyber security insurance for the eventuality of a breach.

A major advantage of cyber security insurance is the insurer is responsible for quantifying risk. This is a huge improvement over just throwing piles of cash at the latest and greatest security product. Vendors are happy to tell you what you have isn't good enough and that you need more. And oftentimes (understandably), companies find it difficult who or what to believe.

As an industry, we’ve arrived at an interesting point. Companies no longer have to care about how much a breach will cost, just how much cyber security insurance costs.

And thus, the future of cyber security will be heavily influenced by the insurance industry.

Modeling Cyber Risk: A Tough Nut to Crack

Of course, it’s in the insurers best interest to accurately model risk and encourage companies to prevent breaches. As a result, the insurance industry is having a broader influence over how cyber security decisions get made in organizations.

As Bruce Schneier points out, it’s not about technology for threat avoidance, it’s about strategies for risk management.

As Bruce Schneier points out, it’s not about technology for threat avoidance, it’s about strategies for risk management. In the same way that you may join a gym to get cheaper health insurance premiums, companies will comply with insurer’s recommendations to lower cyber security premiums. The cyber security market is particularly conducive to having standards set by an external authority.

Many companies already leverage Managed Security Service Providers (MSSPs) who not only decide what hardware and software security solutions a company purchases and deploys, but also respond to the cyber security incidents that a company may face. Because it is such a confusing space, customers are more willing to acquiesce to requirements for insurance, especially if it just “makes the problem go away.”

This presents a distinct opportunity for cyber security organizations and insurance companies alike.

Challenging Current Risk Models

The biggest challenge (and opportunity), lies in how to accurately model cyber security risk. Historically, modeling in the cyber domain has been more art than science, albeit an art with some huge price tags. Despite the fact that many insurers are essentially eyeballing it, business is booming.

In 2015, premiums were estimated at $3 billion, and that number is expected to triple within four years.

But there still remains massive uncertainty around how to validate model accuracy and optimize policy pricing. Multiple analysts indicate cyber security insurers are dramatically over exposed. There is a great need for better modeling techniques to optimize pricing and margins. The accuracy of cyber risk models will ultimately determine the winners and losers of this evolving market, and unlock the tsunami of cyber risk underwriting that will ensue.

The problem is that insurance companies don’t have cyber security expertise, and cyber security professionals typically don’t know data science.

The problem is that insurance companies don’t have cyber security expertise, and cyber security professionals typically don’t know data science. Insurers don’t use essential data like vulnerability analysis because they don’t know how to interpret it. At the same time, cyber security professionals don’t understand that there’s a huge difference between vulnerability analysis and risk analysis; current risk models are essentially “black boxes.” They don’t clearly show how cyber data correlates with breach data, and simply assign a risk score based on “expert opinion”.

To put it plainly: there’s no way to validate the data.

Bridging the Risk Model Gap

Any model is only as good as the data that’s it’s based on, but current risk analysis has little to do with threat detection. Insurance companies and cyber security organizations need to use the right analysis on the right data to paint a better and more accurate picture of risk. One methodology is to use statistics and machine learning to correlate customer data with breach data enriched with cyber security intel.

Risk scores should not be based on expert opinions that can’t be assessed, but on statistical correlation with historical breaches.

Risk scores should not be based on expert opinions that can’t be assessed, but on statistical correlation with historical breaches. With help from the data science and cyber industries, insurance companies will slowly hone their ability to accurately model cyber risk. As they do, they’ll begin to prescribe tools, techniques, and guidance for their customers to implement in order to reduce the cost of premiums.

And because companies will want to pay as little as needed to offload as much of their risk as possible, they’ll buy the recommended tools and implement the best practices determined by the insurance companies.

Thus, the insurance industry will play kingmaker to the cyber industry’s next great companies.

Agree, disagree? Have other thoughts on this piece? We’re leading a lively discussion on the Data Science for Cyber Insurance LinkedIn group. We’d love to hear your thoughts!