5 Reasons Cyber Security Is Failing and What P/C Insurers Can Do About It

August 18, 2017 by

Businesses are spending a small fortune on cyber security but what they are doing is not working very well, according to a cyber security expert who sees the insurance industry as a key to improving the situation.

“We have a lot of money going into trying to address this problem,” David Garrett, founder of Tensyl Security, a San Mateo, Calf. -based security consulting firm, told executives at the 2017 Super Regional P/C Insurer Conference in Lake Geneva, Wis. last month.

Businesses are spending more than $70 billion a year for cyber security tools and more than $3 billion in cyber liability insurance premiums.

Garrett identified several reasons cyber security efforts are failing including that current approaches to security ignore organizational cultural issues and that the “avalanche” of cyber tools is overwhelming buyers who have little way of knowing which ones work.

More from Garrett on Carrier Management:

Concrete Steps Carriers Can Take to Help Insureds Improve Cybersecurity

According to the security expert, the property/casualty insurance industry is positioned to play a pivotal role in cyber security by educating clients on the real drivers of cyber breaches, collecting better data from insureds on their security practices, and helping their insureds decide which security steps and tools are the most effective.

“In fact, I think that by helping insureds, carriers will actually grow this particular business,” he said.

According to Garrett, nearly every person on the planet has had his or her identity stolen in the last eight years.

Also, more than 20 percent of small and medium size businesses have reported that they have been victims of a cyber attack, a number that is growing 15 percent and more a year. The real percentage is higher because many firms do not report they have been attacked, he said.

The Ponemon Institute estimated cyber security expenditures at $75 billion in 2015. The Worldwide Semiannual Security Spending Guide from International Data Corp. (IDC) forecast that worldwide revenues for security-related hardware, software, and services will grow from $73.7 billion in 2016 to $101.6 billion by 2020. IDC said the U.S. share of that cyber security investment in 2016 was $31.5 billion.

Businesses are also paying for cyber liability insurance. The global market for cyber insurance grew to about $3.4 billion in premiums last year and could rise to between $8.5 billion and $10 billion by 2020, reinsurer Munich Re estimates. U.S. property/casualty insurers wrote $1.35 billion in direct written premium for cyber insurance in 2016, a 35 percent jump from 2015, according to reports by Fitch Ratings and A.M. Best. Insurance broker Marsh estimated that total annual cyber premiums hit $2 billion in 2016 and may reach $20 billion by 2025.

Cyber attacks are all over the news.

“You read about them every day. Whether you’re talking about the potential Russian hack into our election, or the Yahoo! data breach, or name the next mega data breach which is going to happen later this week because there will be one,” he said.

Yet, all this money and attention don’t seem to be making a dent.

“Why is it that, even though a lot of very smart people are trying to address this problem and spending significant amounts of money, we’re not doing well?” Garret asked. “We’re doing terrible at it. I have been asking myself, ‘why?'”

He offered five reasons cyber security has been ineffective:

Garrett believes there are various ways the insurance industry can make a difference. The industry can collect better data from insureds on their security practices, help them decide what steps and tools would work for them, offer safe cyber discounts and, most important, improve organizations’ cyber culture.

“I don’t think that carriers, so far, have done a good enough job of really educating the insureds about the true drivers,” he said.

He suggested that white papers, seminars and conferences are among the ways to educate clients.

He urged carriers to help their clients understand that whether they have this firewall or that data loss prevention tool is in some ways less important than talking about their culture, taking a holistic approach.

“Most companies, most organizations, are not thinking of this problem in that way,” he said. “I think the carriers have a real opportunity to change the conversation.”

Regarding safe cyber discounts. many carriers are already offering them. “To those I would say, ‘Keep doing it, and in fact make it an even bigger part of your program because I think they’re very effective,” Garrett said.

He suggested financial incentives be based on factors such as whether the organization has a dedicated information security team. “I know, at least anecdotally, that those organizations that have professionals that focus exclusively on this are generally in a more mature state and much more nimble when it comes to being able to change and address risk. I think that is one of the first questions I would certainly want to know,” he said.

Another safety credit qualifier might be if the organization does annual security risk assessments. He said having an outside, independent risk assessment provides a level of independence.

He acknowledged that not all risk assessments are equal and the field is changing regularly. But they still have value. “I do think that to an extent that an organization takes a cyber security framework and embraces it and is trying to improve based upon it, they’re in a much stronger position,” he said.

According to Garrett, it matters less which security assessment or framework an organization chooses than it does that the organization has decided it is going to follow a structure to be able to constantly measure maturity and improvement over time. “You can’t measure improvement unless there’s some basis to measure it up from. That’s really what one of the best values of the security framework is,” Garrett said.

Credits can also be given to those with independent cyber security certifications. “In my mind, it’s less the certification than the investment that the company has made in it as being reflective of the vision of the company,” he said.

Insurers can also help with the choice overload problem plaguing the security field.

“Now I’m sure this is a little bit of a tricky subject because insurance carriers are not necessarily in the business of being the Consumer Reports for software vendors,” Garrett acknowledged. “But I do think that there’s an ability, and most carriers would have the leverage, to start helping insureds identify certain insurance products that are routinely rated the best.”

He urged carriers to play a more active role in helping insureds so that “there isn’t sort of paralysis of decision‑making, when it comes to some of these more technical choices.”

Finally, he urged carriers to focus on collecting meaningful data on insureds’ cyber cultures, data that they can access but most other organizations could not.

“What seems to be happening now is that the data being collected now from insureds is fairly superficial: ‘Do you have a written information security plan?’ You know, ‘What industry are you in?'” he said. “Those are important metrics… but I think there’s a real opportunity set up to create models that provide much more insight into the types of behaviors that are going to result in data breaches.”

He suggested insurers collect data on passwords.

“It’s well known that weak passwords are a well-used attack factor to get into organizations,” he said, explaining that it is possible to do an analysis of an organization’s passwords to evaluate the strengths and the weaknesses. Such an analysis can provide insight into an organization’s “convenience versus security risk factor” and whether it’s an organization that’s favors convenience over security.

Another series of questions insurers might ask could get at how the organization handles routine IT management such as software updates or patches to software. “It happens all the time,” he noted. “At least if you have good IT hygiene, you’re doing that.”

Part of this analysis looks at how insureds are managing vulnerability over time. “How long does it take them to actually patch those critical securities?” If it takes them a long time, it may mean they lack resources or are understaffed. “It also could mean a sort of cavalier attitude towards patching and security,” he said.

A focus on information gathering can make a difference.

“I think there’s a real opportunity to create models that provide much more insight into the types of behaviors that are going to result in data breaches,” Garrett told the executives.

The Super Regional P/C Insurer Conference was sponsored by actuarial consulting firm Demotech Inc. and Wells Media’s Insurance Journal and Carrier Management. Videos of the presentations are available on the website.

Related: