What lessons can we learn about the perfect storm hurricane that shapped the insurance industry in Florida? While not a huge problem at the moment, it may be worth keeping an eye on this one.
State Sponsored Insurance
After hurricane Andrew in 1992, which caused 26.5 billion dollars in damage, 11 insurance companies went bankrupt and others stopped providing property insurance in the state of Florida. This left a significant amount of homeowners unable to obtain insurance. The State interjected and created two state sponsored insurance organizations to act as an insureds last resort.
What does this mean for cyber liability and the insurers who are providing cyber coverage? We see the possibility of a perfect storm brewing. In our last blog post, we cited an article that referenced a Ponemon research study that indicated 67% of small and medium sized businesses had experienced a cyber attack. The good news for the cyber liability insurance industry is that most of these businesses are not insured. If the government mandated all small and mediums sized businesses to obtain cyber liability insurance, could the industry handle the volume?
We predict a similar scenario in the case of Florida and its reaction after Hurricane Andrew based on the following scenario:
- A large number of small and medium sized businesses experience cyber attacks, almost continually.
- Government agencies mandate all businesses purchase cyber liability insurance (similar to other mandated insurance).
- Attacks continue on small businesses and a massive influx of cyber liability claims are made.
- Forensic teams cannot support the volume and cyber liability insurers cannot afford to payout premiums.
- May result in bankruptcy or other government backed programs to intervene.
Risk is not a series of yes or no questions
As we position ourselves as educators and leaders of cybersecurity in the Insurance Industry, we’ve become quite familiar with the ins and outs of how cyber liability insurance is sold. From our research and first hand experiences, buying a cyber liability policy is a lot like what happens when you purchase car insurance.
You may be asked your age, gender, physical location, driving history, and ensure you’ve met all state requirements to drive. Similarly, buying a cyber liability policy will ask similar questions like do you have an incident response plan, disaster recovery plan, written information security program? However, driving a car and managing cybersecurity are two completely different animals. So why are they treated the same way? Simply, calculating cybersecurity risks for companies is difficult and often confusing from the outside looking in.
This is why a series of yes or no questions about your company’s approach to cybersecurity is not enough. Yes or no questions are not a risk assessment. They may be classified as a gap analysis, which has value, but a series of question does nothing to assess risks from the perspective of likelihood and impact. Without making a determination of risk, the insurance providers are treating every company as if they are a perfect driver, with no history of accidents, proper training, and impeccable decision making. However, this is often not the reality of the situation. Adding fuel to the fire for the potential perfect storm described above.
Reduce your likelihood and overall risk
We’ve made this point before, but it’s extremely important to repeat. Buying cyber liability insurance is a great first step in reducing your risk from an impact perspective. Shifting financial liability may save a company big bucks after an attack. Despite this, companies should consider their “likelihood” variable of the risk formula, because cyber liability insurance does nothing to reduce your likelihood of an attack. If anything, it may create a false sense of security.
If you’re ready to start reducing your risk, learn about our cybersecurity program development capabilities. Your cybersecurity program is a great start to writing or adopting the best cybersecurity policies and procedures.