Can cybersecurity insurance protect consumers from attacks?

As we move beyond the widespread acceptance and use of online banking and trading platforms and push further into an increasingly digital financial marketplace, consumers face new forms of risk—namely, cyber risk—that would have been unfathomable previously. When confronted with risks that could be financially devastating, consumers are driven to mitigate and insure against such perils. Has the time come to purchase insurance for financial cyber risks?

Rational consumers seek to prevent, minimize or avoid adverse financial outcomes by purchasing insurance to protect against actual and perceived risks they can’t easily afford. Insurance essentially serves as a risk management and wealth preservation tool. However, consumers realize that it doesn’t make sense to purchase insurance when the cost of coverage is so high that they will pay substantially more in premiums than expected losses. In other words, they decide that self-insuring is the more cost-effective alternative. 

{mosads}Individuals today are increasingly concerned about their online security but don’t have a clear understanding of the amorphous yet perilous risks they face. In response, new consumer-directed insurance products are being offered to guard against cyber attacks.

While such products are designed to insure against some of the risks and expenses arising from individually focused cyber attacks, they don’t necessarily mitigate a consumer’s nightmare scenario. That scenario goes beyond having personally identifiable information stolen from the IRS or Target to having your bank or brokerage account drained or otherwise wiped out by a malicious actor. And no insurance product exists today that safeguards individuals from that most catastrophic of cyber risks.

Insurance products require an actuarially sound basis for pricing policy coverage, yet insurance companies are finding it difficult, if not impossible, to quantify the precise likelihood and potential impact of a cyber attack on individual financial accounts. Given recent and past intrusions into the banking system, a threat clearly exists—whether through data or financial theft—but pricing the likelihood of that risk remains hugely challenging. One point of consolation, at least the financial sector has one of the most sophisticated network defenses of any sector.

Most consumers don’t fully understand the extent of their financial exposure if such a nightmare event were to occur. In the U.S., several entities chartered by Congress (e.g., FDIC, SIPC, NCUA) insure banking and brokerage accounts. But those organizations do not insure against theft or fraud at the institution. Instead, those situations are often covered through separate (private) insurance policies arranged by financial institutions.

In order to develop an efficient insurance marketplace, certain conditions will need to be met. The U.S. Department of Homeland Security (DHS) has in recent years explored this topic with private and public sector stakeholders, including insurance companies. Those companies cited several reasons for their limited offerings in this area, chief among them being a lack of actuarial data; aggregation concerns flowing from an unwillingness on the part of cyberattack victims to report incidents; and the unknowable nature of all potential cyber threat vectors. DHS suggested formation of an anonymized cyber incident data repository accompanied with advanced consequence analytics. Without such data and analytics, pricing cyber insurance will continue to be imprecise—and the market will be slow to develop, if at all.

MIT’s Internet Policy and Research Initiative and Center for International Studies held a series of workshops over the past two years with leading industry, academic, and government experts to identify deep weaknesses in critical systems, in how those systems are operated and in the devices that connect to them. The integrity of financial data topped the list of participants’ concerns. A dire warning from those workshops is that, given the digitization of accounts and back-up systems, “an attack that destroyed or corrupted the accounts of a major financial institution could wreak devastating economic havoc unless those accounts could be quickly and reliably reconstituted. A sophisticated network attack could lock-up this sector.”

The basics of insurance require a broad group of diverse policyholders to pool their loss risk with that of other policyholders, with an actuarially sound premium charged to all. Given the uncertainties around likelihood of loss, the insurance industry will be hard-pressed to develop a business model today that reflects those needs. While sufficient data may already exist to insure against cyber nuisances, the bigger challenge for the industry is to find ways to prevent, and perhaps even insure against, attacks on the financial sector and its institutions.

Douglas Criscitello is a senior lecturer and executive director of the MIT Golub Center for Finance and Policy at MIT Sloan School of Management.

The views expressed by contributors are their own and are not the views of The Hill.