全球智库信息集成服务系统

Executive Summary

The private sector is struggling to contend with the growing scope, scale, and complexity of cyber risks to corporations’ finances, reputation, and even property. These risks cut across multiple areas of business operations and permeate relationships with suppliers, customers, and third parties. Most governments are by now aware that cyber threats can severely damage and disrupt their economies and infrastructure, and many invest significant effort and resources to confront this danger. Yet virtually all face serious bandwidth limitations in addressing cyber threats to private entities. Concerns over potential escalation or blowback if they pursue or retaliate against foreign hackers, including potential states or proxies, further dampen governments’ enthusiasm for defending the private sector. Furthermore, those governments that seek to address private sector cyber vulnerabilities face serious pushback against onerous regulations and reservations about creating a moral hazard if they assume responsibility for protecting the private sector. These reasons and others have made a governmental solution to this worsening private sector predicament unsatisfactory—a situation that is unlikely to fundamentally change for the foreseeable future.

Faced with this sobering reality, the more resourceful and sophisticated private sector entities are scaling up their own efforts to address cyber threats. In addition to a range of security measures, many have turned increasingly to the risk challenging mechanism offered by cyber insurance policies. Yet the cyber insurance coverage presently available provides only a limited, uncertain, and ad hoc solution. The insurance industry harbors far greater potential to address the cybersecurity challenge. Historically, insurance has played a crucial role in understanding, managing, and mitigating the risks arising from emerging domains of human activity, particularly in the context of evolving technologies. This holds true for cyberspace, where insurance has the potential to assume a more fundamental role in reshaping the risk landscape. While this potential has largely gone unexplored, its historical track record in other domains suggests that the insurance industry could perform six core cyber risk mitigation functions: (1) engineering risks, (2) channeling corporate risk, (3) managing systemic risks, (4) harnessing collective security insights, (5) shaping broader risk trends, and (6) harmonizing risk-related standards and practices internationally.

The current state of cyber insurance remains far from the ideal role envisioned here. This paper analyzes the range of barriers that stand in the way of a properly functioning cyber insurance market—including practical, technical, operational, and strategic challenges, within and outside the insurance industry—and explores a series of individual and complementary efforts by the insurance industry, governments, vendors of information and communications technologies (ICTs), and other key stakeholders in the private sector toward realizing the full potential of insurance to reshape the risk environment. Cyber insurance will ultimately be indispensable in a broader solution to the escalating cyber risk challenge. Harnessing its full potential will be imperative not only for managing corporate cyber risks, but for preventing potential systemic cyber incidents of growing concern for governments and the private sector alike.

Introduction

As human activity continues to migrate to cyberspace, many services and functions that are vital to individuals, organizations, institutions, and society as a whole have become much more dependent on the cyber world.¹ One aspect of this trend is the way in which the global economy increasingly relies upon the internet to propel economic growth.² As enterprises tie more equities to intangible assets such as intellectual property and data, factors that affect these resources have greater influence, and increasingly control, over physical assets and operations. Moreover, such factors have growing cognitive effects on how people think and interact within society. The meteoric rise in the number, type, and uses of connected devices—from smartphones to home appliances to automobiles—as well as the rapid growth in the role that artificial intelligence plays in facilitating autonomous behavior, are indicators of this functional and structural shift from physical space to the logical and cognitive layers of cyberspace.

Unsurprisingly, this transition has both positively and negatively affected human interactions. Among the negative effects are efforts by individuals, private entities, and even governments to exploit these trends to promote their ideological, political, strategic, and economic interests within and through cyberspace. Some of the most worrisome manifestations of these actions include cyber crime, cyber espionage, and cyberwarfare. In 2017, for instance, cyber attacks cost financial institutions alone over $18 billion.³ But cyber risks are not confined to malicious activity, as flaws in product development or accidental misuse create equally worrisome vulnerabilities. Consequently, individuals and corporations currently face acute cyber risks to their data (confidentiality, availability, and integrity), operations, and provided and consumed services.

Cyber risks increasingly have a bearing on corporate performance, well-being, and in extreme cases even survival. A nascent market for cyber insurance has already emerged alongside other mechanisms for mitigating and channeling these risks. While the appeal of insurance to address this challenge is growing, efforts to unlock its potential thus far have generally been rather narrowly focused on its traditional role in engineering and channeling risk. Recent studies by the Organization for Economic Cooperation and Development (OECD) and the Geneva Association have detailed the current state of cyber insurance, barriers to its maturation, and potential policy solutions.⁴ The present study concurs with many of their sound observations and important recommendations. However, it aims more ambitiously to broaden the aperture through which cyber insurance is viewed as an essential element of an approach to confront the global cybersecurity challenge.

Governments and the private sector must collaborate to realize the considerable potential inherent in the insurance industry to not only diminish private sector cyber risks but also prevent systemic cyber incidents of growing concern to both. Unlocking this potential begins with an understanding of the scope of the cyber risk challenge and the dynamics shaping it.

The Cyber Risk Environment

In the U.S. market alone, the total number of cyber insurance claims came close to doubling between 2016 and 2017, from 5,955 to 9,017.⁵ Although this indicator only partly illustrates the present magnitude of cyber threats, it nonetheless suggests the pace at which this problem is growing. Yet for a number of profound reasons, governments and corporations have found it difficult to satisfactorily address and respond to cyber threats:

• Commercial incentives. As companies introduce and expand the use of connectivity features such as remote access to data, processes, services, and products, these more numerous points of contact create more cyber attack vectors. Vendors of information and communications technology (ICT) products and services have similar economic incentives to roll out new technological features quickly, and this speed comes at the expense of cybersecurity. These incentives also account for at least some procrastination—up to and including outright renunciation of responsibility—in addressing cybersecurity vulnerabilities, especially in older (and therefore less economically viable) products. This problem is especially acute among smaller and less-sophisticated players, which are common in the Internet of Things sphere. Although individual and corporate activity benefit economically from their greater dependence on ICTs and industrial control systems (ICS), they face growing exposure to cyber risks to their integrity and reliability. The consequences of cyber events also have expanded, with one particularly visible example being the effect of computer glitches on the grounding of airline operations.⁶
• Technical limitations. Due to the sheer complexity of ICTs, testing and verifying the integrity and security of cyber systems is inherently challenging. As these systems have grown in complexity and have become subject to more frequent modification, preventing weaknesses from creeping into ICTs has become exceedingly difficult.
• The appeal for intelligence, military, and law enforcement operations. The volume and quality of human activity in cyberspace has attracted significant government attention. As more government entities worldwide enter the field or expand their existing footprint, they may be tempted to seize or hold onto existing vulnerabilities and even create new ones. They may also deploy more sophisticated tools for harnessing these vulnerabilities, rather than striving to eliminate them.
• The lure for criminals, terrorists, hacktivists, and other potentially malicious users. All of these groups can and have used cyberspace to promote their diverse aims. The present payoff matrix of such actions—with high potential yield and low odds of getting caught and paying a serious penalty for cyber actions—increases its appeal.
• The broad dissemination of highly potent cyber attack tools. These tools include those that have been leaked or stolen from leading nations’ cyber weapon arsenals, as well as those that have been reverse-engineered by other entities.
• The growing potential for systemic and cascading impacts of cyber incidents. This is driven by multiple, intertwined trends: widespread reliance upon a limited number of common hardware and software platforms and services; market consolidation in key areas of the ICT sector; the creation of single points of failure for entire industries; complex, globalized supply chains; and the ever-expanding interconnectedness of systems and networks, among others. At the same time as the scope and scale of connected devices has rapidly grown with the Internet of Things, these connections have penetrated deeper into the physical world, including in the manufacturing sector, industrial operations, and key industries such as aerospace. Taken together, these trends generate new possibilities for cyber attacks to evolve and propagate widely and unpredictably throughout the ecosystem and cause broader ripple effects.⁷ In recent years, this phenomenon has appeared repeatedly, as in the rapid spread, globally, of recent attacks presumably conducted against Ukrainian assets.⁸
• Leveraging machine learning. Looking ahead, the role that machine learning may play in the cybersecurity domain could not only help defenders but also benefit attackers, improving the sophistication (for example, tailoring) and efficiency of their actions.

In spite of these concerns, the current cybersecurity picture is not entirely bleak. In recent years, multiple governments have acknowledged the growing cyber threats and attendant risks to their private sectors. This awareness has yielded government policies, regulation, and legislation—as well as the creation of dedicated institutions and other initiatives—to protect their national cyberspace, their citizens, and their economies from exploitation by malicious cyber actors. Numerous and diverse government and corporate efforts are under way to try to ease this predicament. Some have attempted to track down and prosecute cyber criminals; others have created structures to foil and respond to especially egregious attacks; still others have promoted better cybersecurity practices across the entire ecosystem. Some of the more sophisticated players in the corporate world have established or expanded their own cyber threat intelligence operations and cybersecurity practices applied to their own networks, products, and services and have extended these throughout their supply chain and to customers. Some of these efforts have shown real promise for limiting or at least channeling cyber risks. For example, many larger players in the ICT/ICS space have been developing more sophisticated standards and practices to enhance the security and reliability (as well as the performance) of cyber products.⁹ The importance of and benefits from these efforts should be neither discounted nor discouraged.

On balance, though, the dynamics and incentive structure that have shaped the evolution of cyberspace do not leave much room for optimism that the cyber risk situation will fundamentally change for the better anytime soon. This sobering assessment reflects an awareness of the motivations that drive human and state action, as well as the unending competition between attackers and defenders. It also stems from a significant trait in human nature, because failure is inevitable in systems (especially complex ones) designed by humans. Recent trends in cyber attacks suggest that this point is not lost on aggressors, who correspondingly have chosen to direct their efforts at human attack surfaces. These circumstances create cyber vulnerabilities that could be exploitable for adversarial actions and are far more challenging to neutralize.

The Government Predicament

Strategic, political, and structural reasons hamper governments’ capacity and will to diminish the scope and severity of cyber attacks against the private sector, let alone to disincentivize attackers:

• Bandwidth limitations. Governments are naturally predisposed to first address cybersecurity risks to their own networks and services, and then tackle such threats to critical infrastructure and other forms of potentially systemic and catastrophic risks. The remaining threats to corporations, civil society, and individuals are a much lower priority.
• Moral hazard. For cultural, ideological, political, and economic reasons, governments vary in their willingness and capacity to assume financial and other risks to the private sector. Even those that do contemplate offering some form of insurance of last resort have limited willingness to underwrite private sector risks. At least some of these governments are concerned that by assuming significant responsibility to address private sector cyber risks, they would encourage undue complacency among these entities, thereby enabling them to avoid taking necessary precautions, building resiliency, and protecting their own equities. This philosophy holds true for virtually all threats to property; cyber threats are no exception.
• Strategic ambivalence and priorities. Because of the inherent trade-off, tension, and synergy between offensive and defensive considerations, some forms of government behavior in cyberspace accentuate rather than ease the private sector’s cybersecurity predicament. Sophisticated cyber tools have been developed and employed for intelligence, warfare, and even law enforcement purposes, with more nations engaging in this activity. Moreover, all cyber players struggle to find the right balance between cybersecurity requirements on the one hand and offensive applications on the other. In cyberspace, even more so than in other areas, important defensive missions often must be conducted in tandem with or as a follow-on to offensive operations.
• Deliberative restraint. Aggressive government action against foreign nations engaging in cyber espionage and warfare is fraught with risks and challenges. Thus, even the most sophisticated and powerful governments often back away from taking on some of the more aggressive forms of state-sponsored or -conducted cyber behavior. The difficulty in reaching an adequate and publicly usable level of certainty in attribution, concern about the legitimacy of the response against forms of behavior in which they also engage, anxiety about the utility of available options for response, and fear of (and vulnerability to) retaliation or other forms of blowback all seem to inhibit government responses to cyber attacks in general and those directed against the private sector in particular. Moreover, contentious domestic political implications often surround any potential assertive response to such attacks. These concerns also dampen government enthusiasm for owning the private sector’s cybersecurity risks more broadly.
• Shortcomings of international collaboration. As cyberspace becomes more international and interdependent, international collaboration is indispensable when fighting cyber crime and aggression. But in cyberspace, far more than in the physical world, sovereignty is often blurred or contested. Formidable political and legal obstacles make it difficult to reach a consensus on what constitutes unacceptable behavior in cyberspace and which responses are legitimate to sovereignty infringement and other forms of offensive cyber conduct. Unilateral responses to unacceptable cyber behavior also face painful dilemmas, serious risks, and daunting trade-offs. The inconclusive debate over the private sector’s active defenses in cyberspace illustrates the gravity of the challenge to forming the necessary level of international collaboration through interstate agreements.¹⁰
• Private sector pushback. Corporations resist intrusive government regulation and other forms of interventions in their internal affairs, including their cyber risk management practices. Some of the pushback comes from the private sector’s traditional concerns about government regulation, such as implementation costs and burdens, exposure to liability associated with compliance, and the risks involved in reporting cybersecurity practices (and breaches) to governments and the public. A further source of pushback comes from corporate reluctance to meet the competing demands of different governments in whose territory they are operating, or even from competing regulatory demands made by the same government.

All of these considerations ultimately lead to the conclusion that governments cannot be realistically expected to own, let alone fix, the private sector’s entire cyber threat problem. This situation calls for action in two complementary directions. One is to define space for a public-private partnership in managing cyber risks. The other is to reflect on the role of private sector entities and mechanisms in managing their own cyber risks. The focus here is primarily on the latter.

The Private Sector Predicament

To seriously weigh the potential role that the private sector entities and mechanisms can play in protecting their own cyber equities, it is necessary to understand the cyber-related challenges that the private sector faces in its daily operations:

• The magnitude and complexity of cybersecurity risks. Cyber risks cut across most business areas and activities and directly or indirectly affect virtually all performance and liabilities, and consequently present new liabilities and risks. Thus, effective cyber risk management presents conceptual, organizational, operational, technological, financial, and management challenges. Companies must assess and map their cyber risks, keep these assessments up to date, and figure out and execute comprehensive strategies to deal with them in house. Even if a company hires a cybersecurity vendor or works with a cybersecurity partner to solve these problems, it is no small challenge to determine which outside firms are best suited to address its cybersecurity requirements.
• Cybersecurity investments draw on precious corporate resources. Investments in cybersecurity come straight off the bottom line, and yet may still provide insufficient immunity against the gravest cyber risks. This problem is further compounded by the tension between investing in cybersecurity technology and operations, or in cyber resilience and risk-channeling measures. Because of the novelty of the entire field and the immaturity of those measures, most corporations have invested in cybersecurity technology and operations at the expense of developing a more comprehensive, long-term approach.
• The limitations of passive defenses. Passive defenses alone are insufficient to contend with increasingly sophisticated cyber attacks. Even when successful, their utility over time remains highly uncertain. And even when most successful, passive defenses fail to truly penalize cyber predators, and effectively encourage further attempts to breach corporate networks, products, and services.
• Legal limitations and prohibitions on active cyber defenses. In many jurisdictions, some of the more active cybersecurity measures remain ideologically and legally contentious or are outright prohibited in the private sector. Even where these measures may halt or impose costs upon cyber attackers and help law enforcement agencies pursue them—thereby raising barriers for entry and diminishing criminal appetites for such activities—the private sector can only go so far in its efforts.¹¹ Moreover, most corporations are not presently able to offset the potential liabilities associated with deploying active defense measures.
• Insufficient ability to channel cyber risk exposure to insurance carriers. Even though the insurance industry traditionally plays a critical role in risk channeling, at present the private sector is not fully capable of taking advantage of cyber risk insurance. (This concern will be studied in greater depth in the coming sections.)
• Hindrances caused by commercial competition and government regulations. Regulations on cross-border data flows and antitrust measures are a particular concern for collaborative private sector efforts, especially in the context of an uneven international regulatory environment. Adding to these concerns are political and national security considerations and commercial competition. Moreover, there is natural anxiety over the potential risks created by sharing intimate data about security practices. These factors not only hinder but often outright prevent critical efforts to pool resources, share best practices, and otherwise deal collectively and comprehensively with evolving national and international cyber threats.
• Brittle public tolerance for cybersecurity breaches. Although the public reaction to reports of cybersecurity breaches remains inconsistent and uncertain, people are more aware of the risk and expect that corporations will do more to defend themselves against such risks and disclose any failures that occur. Market forces are already responding to such revelations, and corporations face potentially aggressive litigation if they fail to prepare for such scenarios.

The private sector predicament associated with cyber risks has generated two dramatic developments in risk management practices. One is to assign a greater share of business activity to the cloud, an approach that appears to channel much of the responsibility for protecting private companies’ data to a handful of large, sophisticated cloud service providers. The other is to turn to the insurance industry to perform its traditional role in risk channeling. Because this paper will focus on cyber risk insurance, this discussion will be confined to just one general remark about cloud service providers.¹² The cloud is rapidly emerging as an important commercial service and cybersecurity solution, leveraging the sophistication and economies of scale of its service providers. Governments and some of the world’s largest companies have now joined small and medium-sized enterprises in outsourcing the storage and processing of their data to cloud service providers. This trend has many benefits, but it also makes cloud service providers an increasingly lucrative target for hackers. For the time being, it is vital to remain vigilant about the effects that would ensue should cloud service providers suffer from major cyber incidents, which may rise to a systemic level considering the small number of major cloud service providers and the concentration of data and other equities in their systems. As a result, even the viability of the cloud solution may hinge on comprehensive cyber risk insurance packages including expanded coverage beyond just business interruption. This kind of package, combining cloud services with insurance coverage, has already begun to emerge and may in the future become an integral component of the cloud services model.¹³

In short, there are few readily available fixes to the private sector’s predicament, and none without pitfalls. Corporations need to redress the underlying sources of cyber risk, in particular the interaction of structural and behavioral factors that contribute to its dramatic expansion. The following section, therefore, is an effort to understand how insurance may contribute to cyber risk mitigation and management, to analyze why this potential has not yet been realized, and to explore what can be done to start unlocking this potential.

The Role of the Cyber Insurance Industry

As the reasonable and unsurprising calls for the insurance industry to be more closely involved in cyber risk management have grown, recent trends in this respect have been positive. The increasing rates for cyber insurance premiums, for instance, appear to indicate that more companies have been adopting cyber insurance products.¹⁴ It is clear that cyber insurance can play an essential role in addressing the immediate situation that corporations face, but this hardly exhausts its potential to shape the broader cybersecurity equation. Insurance offers a uniquely promising contribution to resolving the private sector predicament. The industry’s ability to motivate behavior can begin to reshape the commercial incentive structure, and systematic efforts to do so may help reverse some of the deeper technical trends that make risk management so difficult.

The unique capacities of the insurance industry; its demonstrated ability to engineer and address complex risks; and the novel, multi-dimensional, (primarily) privately owned, and transnational nature of cyberspace all suggest that insurance is especially well suited to perform a pivotal role in stabilizing the domain. Its role can be evaluated through six core functions of insurance:

1. Engineering risk. By accumulating data from experience and analysis of effective risk management practices, insurers can develop greater insight into the factors shaping the cyber risk environment.
2. Channeling corporate risk. Underwriters, as per usual insurance standards, would take on the core function of assuming corporate cyber risks.
3. Managing systemic risks. The process of identifying potential aggregation risks could not only avert exposure to catastrophic losses but also provide an invaluable service to governments trying to anticipate and address possible systemic cyber attacks. The ability to identify and help prevent cascading effects or single points of failure may diminish the prospects for severe economic or national security impacts; in turn, this may reduce the potential for an international crisis or conflict stemming from a cyber attack.
4. Harnessing collective insights to improve security. The interrelated, interdependent nature of cyberspace is both a tremendous challenge and an opportunity. On the one hand, malicious capabilities rapidly diffuse and have ripple effects across the ecosystem. A new exploit or technique typically will spread quickly and be used by a vast range of actors, forcing defenses to constantly adapt to globally dispersed threats.¹⁵ On the other hand, mechanisms to effectively leverage insights across the ecosystem can support common solutions. The insurance industry can be a central repository for granular data relevant to security across the private sector and can provide the analytical capabilities to extract deeper insights from this data beyond adapting defenses to immediate threats.
5. Shaping broader trends in the risk landscape. In an environment where commercial decisions significantly affect risk exposure, insurers supply financial incentives to change private sector behavior. These changes could have major long-term effects on the opportunities for and cost-benefit analysis of malicious activity. For instance, insurers could dissuade policyholders from behaviors that dramatically expand attack surfaces, such as the unnecessary use of remote-control capabilities for critical infrastructure components, or conversely encourage implementation of expedient cybersecurity practices (even when they carry residual contagion risk) by extending liability coverage to those that apply them.
6. Internationally harmonizing standards and practices. The lack of common standards or norms in such a transnational and interdependent domain exacerbates the cybersecurity challenge and creates a fragmented environment suitable to malicious activity. The difficulty of striking interstate agreements in this space