The cyber insurance industry is not doing enough to incentivise insureds to mitigate their risk.
It’s like telling a young child to eat their vegetables, but not offering them chocolate dessert in return. Even though “carrots help you see in the dark” and spinach “gives you muscles like Popeye the Sailor,” most children are really in it for the chocolate.
Based on the well-known fact that humans respond particularly well to chocolate – aka, incentives – what are cyber insurers offering to customers to elicit better cyber hygiene and to encourage more comprehensive cyber risk management?
As far as I can tell, the answer is: not enough.
First of all, it’s important to clarify what I mean by “cyber hygiene” and “comprehensive cyber risk management”. While I do not profess to be a cyber expert, I understand that there are simple steps that every company could take to improve their cyber security.
For example, they can shore up their password management to ensure employees are changing their passwords regularly and using different combinations of letters, numbers and symbols. They can use multi-factor authentication (MFA), which requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN.
They can also say “no” to remote desktop protocol (RDP) – a tool that enables remote connections to a user’s desktop, which, in recent years, has become one of the most popular attack tools for cyber criminals to access enterprise data and install tools including cryptominers, keyloggers, backdoors, and other malware.
And finally, every company should give their employees cyber security training, particularly in relation to identifying spoof emails, phishing campaigns and common traits of social engineering. As the saying goes: humans are the weakest link in cybersecurity.
Back to incentives – the most obvious one would be for insurers to offer clients discounts on their premium if they implement X, Y, Z security controls. While some cyber insurance carriers are doing this, they typically only offer discounts related to mitigation on an individual basis, and often only for larger, risk-managed clients where the premium will remain significant.
That’s like only offering chocolate to the children who enjoyed creamy mash potato with a side of gravy, leaving the peas and tomato ketchup kids behind with nothing.
Now, by no means am I suggesting that cyber insurance should be sold purely on price. Risk management-related discounts are just one of many incentives that insurers could consider to encourage better cyber hygiene practices.
I applaud cyber insurers worldwide for their educational campaigns around cyber risk and cyber security controls. These campaigns are really starting to gain steam, but we haven’t yet reached the point where cyber risk mitigation practices have become “normalised”. We automatically put a seat belt on when we get in the car, but we don’t always hover our cursor over a new email address or link to check if it contains any suspicious characters.
Until we reach that stage of cyber security literacy, I believe more incentives – aka, chocolate bars – are needed.