As the pace of cyber attacks continues unabated we can reasonably assume that the number of targets of those attacks will grow and the economic cost will increase accordingly. Although there is certainly no silver bullet, some fresh thinking has applied a novel approach to motivating industry to do a better job of protecting its own interests.
A new product, cybersecurity insurance, will hit the market in June, 2019. Launched by Marsh, the program includes eight major global carrier participants. Cyber Catalyst, as the program is called, is designed to help organizations make more informed choices about cybersecurity products and services in order to better manage cyber risk. Insurers, along with Microsoft serving as technical advisor, will assist companies to identify cybersecurity solutions they consider effective at reducing their exposure to attacks.
Impetus for the initiative may have arisen from studies conducted by the U.S. Department of Homeland Security. In 2016, their Cybersecurity and Infrastructure Security Agency (CISA) developed the idea that if the insurance industry served as a motivating force to industry through economic incentive it might foster improved security measures and better prevent cyber attacks. Premiums would be predicated upon not only the level of self-protection implemented, but its quality. In other words, not only do it right but do it better. In fact, undertake a best practices program overseen by the insurance industry, a program you will be rated on and coverage priced accordingly.
The market for cybersecurity products and services is vast - $110 billion and growing rapidly. But companies can find it challenging to evaluate those offerings and make informed choices. Carriers, who have been forced to contend with the costliest and most devastating cyber events of the past decade, have extensive experience in this area. Rating the efficacy of cybersecurity software and technology is a logical application of that experience.
Taking the idea one step further, it might be possible to consider a future where insurers go beyond simply offering economic incentives to encourage businesses to purchase the best cybersecurity solutions. Just as carriers give discounts to building owners with LEED certification, they could provide better terms to businesses whose internal policies are certified to be in line with the latest cybersecurity best practices.
Insurers could also act as a clearinghouse for cybercrime, using the experience gleaned from one attack to help its insured prevent a similar occurrence.
The success of the program will be closely watched, and you can be sure competing products will emerge. What is important is that sooner or later businesses must take responsibility for their own well-being, and if history is any guide, the likelihood of success seems always a bit greater when money is part of the equation.
For further reading on this topic: