The evolution of cyber-security and cyber-insurance
I’m sure all readers of this post have insurance of some kind: health insurance, life insurance, car insurance, or, if your name is Keith Richards, insurance specifically for hands. Businesses have their own types of insurance as well, not only for common risks like break-ins or theft, but also for rare yet highly damaging events such as litigation or cyber-attack. These business-specific insurance policies can allow management teams to operate their businesses without fear that some rare exogenous and unrelated event, which they may not have the expertise to track or mitigate, could wipe them out.
Cyber attack has now become exactly that type of event: a rare, exogenous, occurrence, which could potentially cripple a business yet is entirely unrelated to the business itself. This sets it apart from the threats that business leadership is accustomed to tracking, such as aggressive competitive actions or changing customer demand, and puts it in the same type of category as theft or an earthquake, which are usually outside of their expertise and are typically insured against.
Last month we had the unique opportunity and privilege to host a thought-leadership event on the intersection of cyber-security and cyber-insurance. We heard from many different perspectives, from the technical leadership of large businesses, to the actual providers of cyber-insurance financial products. The event we cheekily entitled ‘Cyber-Security: Protecting your Ass(ets)’. We built on this theme and married it with a Cyber-Insurance angle which was delivered through the mix of speakers.
For those of you unable to attend, I’ll use this post to cover some of the highlights and insights, and I encourage all of you to take a look at the recording here.
The event was kicked off by Blackstone CTO Bill Murphy, who, in an interview, discussed how cyber-security had become something that the entire organization, including C-level executives, the CEO, and the Board of Directors, paid attention to. Bill also touched on what he called a ‘massive talent shortage in security’, which makes it even more difficult for security-conscious companies to strengthen their security posture. This talent shortage is a strong indicator that there is a real need for scalable technology-based solutions that don’t rely on large workforces to implement.
Bill’s interview was followed by another interview between Skyport CTO Michael Beesley, who took the audience on a walk through the tectonic shifts in enterprise IT, and their impacts on security, over the past several decades. This culminated in an explanation of Skyport’s unique approach to security.
These two interviews set the stage for the core panel discussion covering the intersection of cyber security and cyber insurance. Our participants consisted of an interesting cross-section; Aidan Kehoe, of Oxford Solutions, and Michael Kraft, of Kraft Kennedy, represented different portions of the cyber-security services industry. Josh Stirling, of Sanford Bernstein & Co, provided a more high-level industry perspective as a leading security research analyst, and Eric Seyfried, of Aon, Inc., provided the perspective from the cyber-insurance provider industry.
The most high-level insight from this event is that cyber-insurance policies will continue to be tied to more tightly defined technology practices where security is required to meet some effectiveness threshold. This forces companies to tighten their security practices and can provide insurance providers with much-needed visibility into how they can mitigate the risks that they are essentially assuming on behalf of their customers.
This insight is aligned with the insurance industry’s general business model; cyber-insurance isn’t much different from other types of insurance compliance in terms of how it is structured and delivered. Aon’s Eric Seyfried, who crafts and sells cyber-insurance, referred to cyber-insurance products as ‘risk-transfer solutions’, because they take some balance sheet risk off of the buyer in return for regular payment. This means that if a cyber-insurance buyer is worried about a cyber-attack, they can protect company asset value via insurance. If a company asset is breached or devalued, that devaluation can be claimed against a cyber-insurance plan.
Analogous to regular burglary or disaster insurance, which generally requires adherence to de-risking compliance (break-in alarms, security guards, working fire alarms, etc), cyber-insurance can require types of access and visibility around data and compute so that risk can be minimized.
The group also discussed breach management, or, as Seyfried put it, ‘event management’, which is industry parlance for the flurry of activity and services required when a large breach actually occurs. Michael Kraft, of Kraft Kennedy, observed that the very first thing that a company should do if a breach event occurs is to contact their legal counsel for all response coordination. The group was unanimous in agreement on this point.
Over the next few posts, we hope to be able to assemble a few video clips of some of the highlights of the event. We look forward to sharing these with you, and we hope you take a look at the recording attend our next event in person.
Broadly speaking, the topic of cyber-insurance, and its intersection with the topic of cyber security, is something that will certainly continue to develop. Stay tuned over the next few years as this emerging hybrid market for both cyber-security and cyber-insurance evolves. We will certainly be watching it very actively since this development is so relevant to our product here at Skyport.