Market Incentives: The Insurance Industry and Cyber Accountability • Stimson Center

ICT4Peace had for several years conversations with representatives of the insurance industry and government on the role of insurance to foster cybersecurity. We are delighted that the Stimson Center produced this excellent Case Study entitled: “Market Incentives: The Insurance Industry and Cyber Accountability”.

The Case Study was written by Debra Decker with extensive input from Nonresident Fellow Kathryn Rauhut, Darren Pain of the Geneva Association, and other sources who wish to remain anonymous, including from major insurance brokerages. Editor: Allison Pytlak, Senior Fellow and Director, Cyber Program.

The Key Takeaways and Recommendations are summarised as follows:

• • “Strengthen Insurance as A Mechanism to Promote Accountability
  • Require and Standardize Incident Reporting and Processes for Better Risk Analysis and Management
  • Require More Consistent Minimum Conditions and Definitions for Coverage/Benefits
  • Expand Understanding and Availability of Catastrophic Cyber Risk Mechanisms With Clear Terms in Backstops and Triggers”

“Security threats posed by the internet, artificial intelligence (AI), and quantum computing are multiplying at a speed with which governments and legislatures cannot possibly keep pace. Currently, market mechanisms such as credit ratings, product and service security ratings, liability adjustments, procurement requirements, tax adjustments, grants, and insurance are relatively untapped incentives that can play a pivotal role in promoting accountability for securing cyberspace.

Market incentives to promote cybersecurity would help build a case that shifts security from a burdensome requirement or regulation to a value-added effort. Broadly speaking, market mechanisms are in different stages—some require more capacity or development, while others are evolving on their own terms.

One market incentive that could benefit from more coordinated support and integration into policy discussions is insurance. The industry’s effect on cybersecurity is not fully appreciated, and the accountability required of the insured and of the insurance industry is not yet well leveraged.

Although much has already been written about cyber insurance in relation to cyber issues within international relations, this case study considers cyber accountability from multiple perspectives to consider how collaborative public-private approaches can leverage commercial insurance to help better manage global cyber risks. Insurance is a mechanism the insureds use to transfer and share risks they do not want to carry themselves.

Insurers hold the insured to account for certain behaviors as a condition of coverage and price their premiums based partly on the underwriters’ assessments of risks. Insurers are likewise held to account for their performance in cyberspace by their owners who provide the capital, by governments, and by the public who consider the societal effects of insurers’ actions, such as their role in ransomware claims.Government regulations, liability considerations, and broader enterprise risk concerns within the insurance ecosystem all affect the industry and can be leveraged to improve cybersecurity.”

ICT4Peace is grateful to the Stimson Center to allow the reproduction of the full text of the Case Study, which can be found here.