The global cybersecurity insurance market size is projected to grow from $7.8 billion in 2020 to $20.4 billion by 2025, representing a CAGR of 21.2%. But for now, the cybersecurity industry remains divided on whether this growing market encourages cybercrime.
Some experts claim the notion is little more than a conspiracy theory and that it's unlikely hackers can discern whether a target organization is insured. Others suggest such specific knowledge isn't necessary and the increasing likelihood of an insurance payout both encourages attacks and discourages security measures.
Asaf Ashkenazi, COO of cybersecurity software firm Verimatrix, takes the latter view. Drawing on his 15 years of experience in cybersecurity strategy and analysis, he has come to the conclusion that the insurance market has inadvertently created a goldmine for hackers. To combat this trend, he argues, companies should be rewarded by their insurers for adopting more rigorous security protocols.
The Edge: What do you say to people who dispute the claim that cyber insurance incentivizes cybercrime? What do they get wrong?
Ashkenazi: I don't think cyber insurance incentivizes cybercrime by intention. It's an old claim that you can make about any type of insurance. … If somebody steals your car and they pay, you might say, “Hey, they are encouraging that behavior." I don't think that is directly the case.
But indirectly, it could be that insured companies will be more likely to pay a ransom because it doesn't come directly from their pockets. I'm not blaming the victims that are paying. No company wants to be in this situation. But it is very clear. Each time we pay, we're making this problem worse because we incentivize them to do it more. We also fund their operations. What they're doing is very profitable, but we still need to remember that they have very high costs.
You can claim that this activity is encouraged if insurance companies cover the cost of the ransom and companies are saying, "OK, I have insurance, so I will not invest in security." And then the money goes through to the criminal. I wouldn't say that the insurance industry has any ill intent in encouraging that, though.
The Edge: Do you think that minimum levels of security control ought to be met in order for companies to get a cyber insurance policy?
Ashkenazi: There needs to be more collaboration in the industry. Most risk assessment is based on the size of the company. It's very difficult to evaluate the entire security level of the company. It's very expensive and also quite disruptive for the company that is being evaluated. If we find vulnerabilities or other issues in a company that is likely to be attacked now, I think that we need to work with those companies to offer them a suite of solutions, or at least a minimum solution, as an incentive.
For example, when I insure my home, if I have a burglar alarm, I get a discount. They can tell me, "Hey, we are working with these [security] companies. You can go and shop with them." We hear about the big attacks like the Colonial Pipeline, but there are a lot of midsize companies that are being attacked. It's a human mentality to say, “Well, I hear about it a lot in the news, but I don't think that we are big enough or we are interesting enough. We are a meat processing company. They will not come after us. But if they do, I have insurance." I think that if insurers came to them and offered them a discount for following certain security recommendations, they would find that more companies would be open to doing that.
The Edge: Why are companies more inclined to rely on insurance and less inclined to establish proper security protocols?
Ashkenazi: There is the cost of doing it. But I think that a lot of them don't even know what exactly to do. Everybody is trying to sell a different solution. It's very difficult for them to know what hackers will go after in their business, what the low-hanging fruit is. They are not necessarily tech companies. They're businesses. But more importantly, they don't understand if they will do it, whether it will help or not. With insurance, they know that if this happens, it's very predictable. "I know that if I pay for the insurance, under these conditions it's covered. If I pay for this security solution, would it help me?"
What if it's part of the insurance policy, if we apply it the same way that you're doing for good drivers or having a safer car? "I know that it's important and worthwhile because it's lowering my risk. The insurance company believes that it's lowering my risk, and they even incentivize me to do so."
The Edge: What sorts of practices can insurance companies incentivize their clients to take in order to minimize risk?
Ashkenazi: They need to put more effort in when they do risk assessment. Instead of assessing risk according to the likelihood that they will have to pay based on the size of the company, they should look at the attacks that are happening, what led to these attacks, what could have been prevented. They don't need to do it alone. A consortium of cybersecurity companies could potentially advise the insurance industry.
If you look at a lot of the attacks, it's rarely "immediate zero." Usually, it's the same mistakes. A company gets attacked, and then a week later, another company is just repeating the same mistake. And in many cases, it's not because there was no solution to prevent the attack. It's either that the company didn't have a solution or they didn't deploy it correctly.
The Edge: How are cybercriminals able to figure out how much their potential targets are insured for and select them accordingly? How sophisticated are they in that regard?
Ashkenazi: They are quite sophisticated. They will try to understand what the company is doing and what their revenue is. So they say, "OK, this is how much the company is making." Then they will look at the files they can access and the damage they can create. And if the damage is big, of course the price will be higher. I don't think that they have the ability to know whether a company is insured, unless they get into the system and find the contract with the insurance company. But that's a lot of work for them. Typically they will look at companies of a certain size that are likely to have cyber insurance.
The Edge: Should governments be collecting data to help insurers create more accurate risk models? What kind of data should they be collecting?
Ashkenazi: I don't think that's the solution. But I do think that the government could be more involved in facilitating a standardized way for insurance companies to incentivize companies to adopt the proper security measures. There are a lot of bodies that are not governmental, but that the government at some point helped or partially funded. A consortium of insurance companies could provide recommendations and incentivize companies that comply with them.
The Biden administration established a timeline for creating security policies for all federal agencies. I think it's a very good start because that could be the basis for rules to be adopted by the industry, especially if they're working with the industry. Several insurance companies can collaborate and take that work and then work with the industry to adapt it to the private sector. That could be a very positive way toward improving the situation.