Certain Uncertainties – Cyber Insurance and the Race to the Unknown

Shortly before I went to bed on the night of Sunday Jun 8, the New York Times published an article on a topic that I had spent the last 6 months explaining to anybody who cared to listen – cyber security insurance. By the time I woke up Monday morning, 4 people had sent me the link to make sure I had seen it, and to ask my thoughts. The answer is that NYT got it right – and they did a great job making it understandable.


Cyber security is a hot topic. Every day there is news of a big hack that, for the most part, affects all of us in a very personal way. We’ve all spent the better part of a decade broadcasting ourselves and our lives onto the internet, and are beginning to experience the blowback – our nearly naked exposure to theft, fraud, and spying. It will get worse before it gets better – and it will only get better when people start learning how to protect themselves. That’s what Scalar Security aims to do.


But the topic of the NYT article – cyber security liability insurance – is less well known. Insurance is like that. It lurks in the shadows and steps forward only when a problem occurs, hopefully to ease the pain of the problem. Cyber insurance is designed to help pay for forensics (determining the cause of a breach), remediation (reconstructing damaged systems), and liabilities (purchasing credit fraud protection for customers.)


But a funny thing is happening – they are getting it wrong. It turns out that companies, for the most part, do not understand their risk. The Target breach, perhaps the favorite case study in the media, has revealed a company that was under-insured by a factor of 10 – $100M in coverage for what ended up being a $1B breach. This will hurt Target, badly, but it will not hurt their insurer – this time.


What’s frightening is the thought that Target might be the rule rather than the exception; that most companies are under protected and under insured. When the gap between the actual and perceived risks is this wide, there is likely to be more damage. Consider the insurance companies, who have aggregated dozens or hundreds of policies like that of Target, operating under the assumption that their risk is diversified.


We are suggesting that insurers may unwittingly hold large portfolios of companies who have 1) underestimated their assets at risk, and 2) placed those assets under inadequate protections.


It may be the case that our digital infrastructure is flapping in the breeze, not only at risk, but without backstops to minimize damage. In the case of an individual firm, a breach could topple that firm. But in the case of a systemic breach – like a takedown of payment card systems or telecoms – it could upend the entire economy. This is why the government has mobilized by developing and launching the NIST Cybersecurity framework.


We believe that frameworks like this will be essential in mapping the road forward. These fundamentals are the building blocks of not only an effective security program, but a resilient organization with a strong risk management ethos. We believe that these frameworks will be invaluable to companies of all sizes, as well as the insurers who back their systems.


We are currently developing an easy questionnaire that will help you assess your organization’s security posture, and give you some concrete feedback about what works, and what needs work. Submit your email to receive updates on the tool when it becomes available.