The role of cyber-insurance, market forces, tort and regulation in the cyber-security of safety-critical industries

Abstract

Market forces cannot be relied upon to ensure the cyber security of safety-critical industries. Companies often lack the technical information to make informed decisions, for instance about the security of Commercial Off The Shelf (COTS) software. The pressures of competition also make it difficult to justify the cost of securing supply chains. Regulatory intervention can address these concerns. However, the recent recession prevents regulatory agencies from funding the salaries and incentives needed to retain competent cyber-security specialists. Tort provides an alternative; companies can seek redress through the courts when service providers fail to meet security requirements. However, tort is typically used in the aftermath of a security breach; the general public may be exposed to considerable risk before litigation addresses existing vulnerabilities. Companies can purchase cyber-insurance to offset future liabilities. Under-writers have a strong motivation to work with policyholders; to improve cyber-security and thereby reduce their exposure. However, it is difficult for actuaries to account for the risks of future cyber attacks without accurate information about the frequency and consequences of previous attacks. The extent to which any country relies on market forces, tort, regulation and cyber-insurance is determined as much by political influence as by technical arguments. The political response to economic recession combines with the changing nature of cyber-risks and inconsistent approaches to the reporting of previous incidents to undermine the future resilience of safety-critical infrastructures. In contrast, we argue that improving cyber incident-reporting will support the actuarial basis of cyber insurance. This combined with a requirement for regulatory competence will assist companies in securing their chains of supply.