Inherent Vice?

Josephine Wolff

Everything about Equifax’s inept handling of its massive data breach in September suggested that the credit bureau had put no time or effort into planning for how to respond to such an incident. From accidentally publicising a phishing website aimed at affected consumers to forcing people who used the company’s credit monitoring service to waive their rights to sue it for failing to protect their information, Equifax gave the impression it had no plan in place for dealing with a major security breach. But in one respect the company was prepared: it had insurance.

It is still too soon to know how much the leak of more than 140 million individuals’ personal information will end up costing Equifax – that will depend on class action lawsuits, settlements and regulatory fines, all of which will take months, if not years, to be resolved. But however expensive the incident ends up being, Equifax’s insurance policies will probably cover between $100 million and $150 million of the cost. That may not be enough to compensate the company fully, but it will certainly help. More than that, it will remind other companies that, along with stronger firewalls, better encryption and more complicated authentication systems, they, too, should be investing in the hottest cyber-security commodity of the moment: insurance coverage.

Cyber insurance has been around for more than a decade, but demand has increased rapidly in recent years with firms – and even some individuals – struggling to find insurers willing to provide as much coverage as they would like to buy. Most policies are capped at a few million dollars for large firms, and apply only to narrowly defined types of incident – usually data breaches of customer information – and specific costs associated with them, such as legal fees and customer credit monitoring. To get more coverage, businesses have to stack policies from different insurers, almost none of whom are willing to cover denial-of-service attacks or theft of intellectual property, because they are unsure how to calculate the damages.

Growing demand ought to lead to growing supply, but the cyber insurance market has been relatively timid in its expansion. In part, this is because insurance is, by nature, a risk-averse industry. Insurers don’t sell big policies unless they can be absolutely certain of the odds of having to pay out. And cyber risks are in many ways harder to measure, and model probabilistically, than car accidents, disease or natural disasters.

As insurers scramble to model computer threats in order to meet the growing demand for cyber insurance, they are wrestling with a question no one knows the answer to yet: is cyber risk like the other types of risk we manage using insurance – fires, floods, cancer, car crashes – or is it fundamentally different?

Actuaries in the former camp argue that the only really different thing about cyber risk is that it’s new. With a little more time, and a little more data, they think, insurers will be able to build models for data breaches and other cyber security threats that will allow them to estimate how often they occur and how much they cost every bit as accurately as they can model road accidents or how long you are likely to live. As the data gap is filled in the coming years, the cyber insurance market will evolve and grow on its own.

But not everyone is convinced that it’s simply a matter of collecting better data. There’s another view emerging in the insurance industry that cyber risk is inherently different from other types of risk – that it’s hard to characterise or capture using the methods insurers typically rely on, because of how deeply interconnected and unpredictable computer-based threats are.

Insurers diversify their customer risk profiles for natural disasters, for instance, by covering customers in different geographical regions, but they have no analogous way of making sure that all their cyber insurance customers aren’t hit simultaneously by a single virus, forcing them to pay out millions of claims at once. Another concern is that historical data on how frequent or expensive computer security incidents have been in the past may not be indicative of how frequent or expensive they will be in the future.

That would be bad news for firms looking to protect themselves from bearing the costs of major breaches, but it might be even worse news for individuals, some of whom are now looking to buy personal cyber insurance policies to protect themselves from the consequences of stolen data and compromised accounts. Personal policies might help protect people with a lot to lose, but mostly they will shift liability for breaches onto individuals instead of the companies that let them happen.