In 1988, Robert Tappan Morris, then a graduate student at Cornell University, decided to write a computer program to measure the size of the still-nascent Internet. Morris’s effort, a cleverly written bit of code that exploited security weaknesses, quickly spread through the computer network, bringing many systems to a halt by copying itself endlessly.
Within hours, a portion of the Internet had simply stopped functioning. Professors lost days of work. Emails went undelivered. Machines took days to disinfect. Morris’s caper made the front page of the New York Times, and he became one of the first people convicted of a computer crime under federal law.
Today, a handful of office buildings in any major downtown contain as many connections as the entire Internet had in 1988. An attack that literally brought down much of today’s Internet, as Morris’s did, would be devastating.
But the attacks we do commonly see, and which frequently make headlines, have taken on a very different character. Major data breaches have rattled the stock prices of firms like Target, which reported more than $252 million in damages from its 2013 breach. Sony Pictures Entertainment suffered a 2014 breach that U.S. officials say traced to North Korea, possibly in protest of the movie The Interview (a satirical depiction of the assassination of Kim Jong-un). More recently, Ashley Madison, a website for affair-seekers, was hacked by a group claiming to be disgusted with its business model.
Sony canceled the theatrical release of its movie, and Ashley Madison’s CEO resigned. But thus far, the sort of catastrophic, system-wide failure that we saw in 1988 has not yet come to pass. The last worm sufficiently widespread to slow the entire Internet was Sobig.F in 2003. Indeed, as software and operating systems have diversified and real-time updates have made it easier to distribute security patches, fast-spreading worm and virus attacks like Morris’s are becoming less common.
Which is not to say that cyber risk isn’t an issue to confront. The German insurance firm Allianz estimates the United States has suffered more than 5,000 data breaches over the past decade, at an average cost of $3.8 million each. Insurance companies have noticed. Changes made in May 2014 by the industry advisory firm ISO (Insurance Service Office, Inc.) to the commercial general liability policy included much broader exclusions of the kinds of cyber risks that standard policies used to cover. Instead, companies are having to buy separate cyberinsurance policies in what’s called the “stand-alone” market.
The current market for cyber insurance is estimated to be about $2 billion, with the largest policies covering about $500 million of risk. It is a fast-growing market, with predictions it could triple in size over the next seven years. Nearly 80 percent of insurance executives surveyed earlier this year by the Insurance Information Institute, a trade organization, said cyberinsurance is a growth field.
But for some, that growth has not been fast enough. In a report last month, the Federal Insurance Office estimated that current market risks require policies with coverage limits of at least $1 billion, twice what’s currently available. And industry-watchers are beginning to hear calls for a new, much-expanded government role in cyber risk that might include a federal “backstop” to pay large claims. At least two congressional offices are working on bills on that topic.
There are major reasons to be suspicious of efforts to increase the government’s role in cyberinsurance. The market, though relatively small, is working fine—it’s growing and companies offering the coverage are fully solvent. Moreover, insurance is just one way to manage risk, and it isn’t the proper role of the government to prescribe that it be the only way. Finally, the nature of the risks seen in the market thus far are not of the “systemic” variety. Hasty action to insert government into this area would almost certainly do more harm than good.
Some of the current flaws in the market for cyberinsurance come simply from a lack of experience. As with any new risk, it takes time for insurers to develop mathematical models and gain experience that let them price their policies appropriately. As a result, the terms and conditions of policies now offered, and the premiums demanded for those policies, can vary greatly based on the size and nature of the business and the appetite of the individual insurer. While a small firm seeking a general liability policy might find that all firms offer essentially the same coverage and have prices that differ by 15 percent, it’s not uncommon to find 50 percent variances in price and vast coverage differences in the cyberinsurance marketplace.