Cyber Insurance Discount Incentives: An Idea Who’s Time Has Come
If you own a home, chances are you receive discounts on your homeowners insurance for having smoke detectors or a security system.
The same goes for your auto insurance, where you may be getting a break on your monthly premiums for having a safe driver record or parking in a garage rather than on the street.
Employers increasingly are using lower health insurance premiums to motivate workers to make good lifestyle choices.
These discount incentives are a win-win: Policyholders save money and indirectly invest in better health or a safer home or car; insurance companies get help in reducing risk and preventing claims.
That’s why discount incentives have been standard practice across the insurance industry for decades -- and why we should start to see their adoption in the emerging cyber insurance sector.
Discount incentives motivate best practices. A company adopts technologies and policies to better protect its sensitive data from cybercriminals. The cyber insurer offers better terms in exchange for the mitigated risk.
Makes sense, right? So why have incentive discounts yet to become de rigueur in cyber insurance?
For one thing, cyber insurance itself is still a relatively new market. Although it’s estimated that 59 percent of companies in 2016 are incorporating cyber insurance as part of their strategic cyber security initiatives, there is still a long way to go.
Interest in cyber insurance as a way to lessen business and infrastructure risk is growing quickly, however, due to the high-profile breaches suffered by retailers, financial services companies, government agencies and others in recent years. Total cyber insurance premiums will soar from $2.5 billion in 2015 to $7.5 billion by 2020, according to a Price Waterhouse Cooper forecast.
Cyber insurers have been grappling with how to adopt the carrot-and-stick approach so common in other lines of insurance. Offering a car insurance discount for a vehicle equipped with an anti-theft system is a simple concept, but determining what the appropriate controls are to reduce cyber-risk has turned out to be more challenging.
The questions insurers are asking themselves include: What are the real benefits of various security tools? How granular should we get – should we recommend one specific technology over another? And what are the proper discount levels?
Furthermore, cyber insurance isn’t regulated like auto or home insurance. Each carrier has different types of coverage and terms. The pricing isn’t as structured as with traditional insurance products, so the discounts are more difficult to define.
However, as the market matures, cyber insurers will better understand risk models and settle on a standard set of safeguards that merit discount incentives. This will be fueled by ongoing, active management of and visibility into the security posture of their policyholders.
A few possibilities:
- Better training to prevent employees from being misled by phishing scams – fraudulent email messages that appear to come from legitimate enterprises and can trick the recipient into providing access to private data.
- Ongoing security monitoring to reveal any weaknesses or exposures inside the enterprise or in third-party vendors and suppliers.
- Forensics analysis to better understand the organization’s IT architecture and identify any potential openings that exist for hackers to penetrate.
- Exhaustive penetration testing. Evaluating the company’s security posture through the lens of the National Institute of Standards and Technology’s cyber security framework.
Discount incentives are a natural next step as the relatively young industry matures and expands. Not only will major insurers start rolling out these programs, but customers will begin to expect and demand them.
No one wants to be breached, and through the insurance assessment and renewal process, organizations will be further motivated by the discounts to take steps to improve their security posture.
The insurance industry has historically been at the forefront of promoting safety features that ultimately benefit society as a whole, and cyber insurance will be no exception.
(About the author: Jacob Olcott is vice president of business development at BitSight, which provides companies with objective, evidence-based security ratings. He has previously worked as legal adviser to the Senate Commerce, Science and Transportation Committee on Cybersecurity, and as staff director for the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, Science and Technology.)