Roles for Policy-Makers in Emerging Cyber Insurance Industry Partnerships

Abstract

For years, insurers have urged government agencies to help the industry stabilize and expand its coverage for cybersecurity incidents by compiling aggregated data sets about those incidents and providing a federal backstop to help the private sector pay for especially devastating and widespread events. While policymakers have largely eschewed these roles, a wide range of security firms have stepped in to fill that void leading to a series of partnerships between insurers and information security providers, device manufacturers, incident response teams, law firms, and reinsurers that have aimed to meet these same goals of improving data quality and spreading especially large potential costs. In this paper, we review the partnerships established by five leading providers of cyberinsurance, using the firms’ marketing materials and a series of interviews conducted with representatives and actuaries at those firms. We identify three categories of these partnerships: (1) partnerships established to help insurers better assess and mitigate customers’ risk prior to the occurrence of any security breaches, (2) partnerships established to enable insurers to provide larger policies of up to $100 million to individual customers, and (3) partnerships established so insurers can help their customers better respond to and mitigate the costs of cybersecurity incidents after they do occur. We also identify three partnership models embraced by different insurance firms: (1) multiple, diverse partnerships with a variety of firms each of which offers a narrow, targeted security service; (2) partnerships with a select few firms each of which provides a wide variety of services; and (3) reliance on internal security expertise and in-house services rather than external partnerships. We consider the effectiveness and outcomes of these partnerships, relying primarily on interview data and public statements from the insurers and their partners, and find that partnerships focused on assessment and security controls are increasingly popular but have thus far shown no measurable results or improvements in customer security, while partnerships focused on breach response and cost mitigation are more common and have shown some reductions in ex-post customer costs tied to cybersecurity incidents, and partnerships focused on raising coverage limits are least frequent but insurers report that these programs enjoy considerable popularity with customers when offered.