In a blog post, Robert Morgus, a researcher and organizer for the New America Foundation’s Cybersecurity Initiative, raises the question: why is the market for cybersecurity insurance so underdeveloped?
“Despite the narrative, the crux of our current cyber problem is largely not technical at all, but instead comes down to organizational behavior,” he writes, noting that “bad security practices and poor investment” were to blame for the hacks on the Office of Personnel Management, and that “social engineering” led to the infamous infiltration of Sony’s information systems.
Rather than rely on legislation to reform organizations’ behavior, Morgus argues, Congress should lend support to cybersecurity insurance providers. “Insurance companies act as regulatory bodies, mandating security standards and behaviors that, if left uncorrected, can void coverage,” Morgus explains. “The problem at this point in time is not coming up with standards and practices, which already exist, but ensuring that they are followed. At the moment, they are not. Widespread insurance coverage could change that, but the market is immature and we’re just not there yet”.
Morgus argues there is a need for “meticulously-crafted, cyber-specific insurance products,” and points to a recent paper by New America Fellow Elana Broitman, which outlines measures that Congress could take to improve cybersecurity, among them sharing liability with insurance companies as an incentive for taking on the fuzzy risks involved.
“If insurance firms can better grasp the risks associated with expanded coverage, they will then attempt to minimize the risk they take on—and they are historically adept at doing so by mandating certain behaviors of their clients,” Morgus writes. “An insurance market might be able to encourage widespread adoption of the sort of best practices, like more and better encryption, which remain legal but controversial to some. Even simpler standards like good patch management could be adopted more rapidly. And once the lower-hanging fruit of human vulnerability is addressed, insurance companies could move on to risk mitigation by working with soft- and hardware vendors to address technical vulnerabilities.”