Fight cybercrime the free-market way

Hackers cost businesses an estimated $445 billion a year, and that doesn’t include massive cybercrime that goes undetected or unreported. Much of the damage comes from rank negligence. My colleague Shane Tews last year referred to a study that found that most companies simply don’t deploy rudimentary security and that “92 [percent] of breaches could have been prevented with basic measures.” Tews wrote that data protection is not solely an IT department issue. It needs to be addressed at the highest level of a company.

I agree. The problem is that businesses continue to ignore the seriousness of cyber breaches. Other firms quite simply don’t know what to do. They need stern guidance.

Is this a role for government? I don’t think so.

First, government hasn’t shown itself to be adept at cybersecurity either. Look at the cyberattack on the Office of Personnel Management, which led to the theft of Social Security numbers and addresses of 21 million current and former government employees (including me) and the fingerprints of 5.6 million people.

Second, US intelligence agencies and law enforcement authorities, the true experts at cybersecurity, are more focused on discovering the methods of hackers and on prosecuting the bad guys than on protecting businesses.

Finally, it is hard to see how a federally imposed cybersecurity regime would not risk the privacy and freedom of business owners and their employees.

But there is a potential market-based solution to the problem. It’s called insurance. Insurance compensates people and businesses for adverse events. But, more important, it can shape behavior.

“To an economist,” writes Richard Zeckhauser of Harvard, “insurance is . . . unlike other commodities in one important respect: The cost of providing insurance depends on the purchaser.” For example, a non-smoker pays less for life insurance than a smoker. Lower premiums inspire risk-averse behavior. To save $5,000 a year in premiums, a smoker might quit.

In the case of insurance against cyber losses, a firm that acts responsibly will pay lower premiums than one that is sloppy. It is in the best interest of the insurance company to recommend, or even require, that the insured business takes the proper steps to protect itself. It is common in many industries for insurers themselves to codify and enforce best practices.

The first cyber-insurance policy, as my colleague Joy Yin pointed out on this blog in December, was written by AIG back in 1997, but “the market is still largely untapped.” PWC predicted it would reach $7.5 billion in premiums by 2020, tripling today’s levels, but that is still a tiny amount compared to the $500 billion spent on property and casualty policies.

While larger firms are waking up to the need — in part because they’re worried about shareholder lawsuits — only 2 percent of small- to medium-sized businesses have cyber insurance, and fewer than one-third of owners of SMBs even know that cyber insurance exists.

One big problem in developing a robust cyber insurance market is a lack of history. It is easy enough for life insurers to use actuarial data to figure out the likelihood of a smoker or non-smoker dying, but the risk of cyber losses and the precise losses themselves — including, as Yin notes, “reputational damage, business disruption, and lost business” — are much harder to quantify.

One reason for a lack of data is spotty information-sharing about attacks, out of embarrassment, liability, or simply ignorance. A legitimate role for government would be to serve as the central collection agency for this information — a role Washington currently plays, for example, in gathering data on disease, mortality, crops, and consumer prices. Open questions are which government agency would gather the data and how coercive the government should be in demanding information.

Of course, insurance presents a classic problem called “moral hazard” — the idea that people are more likely to engage in risky behavior if they are insured against the loss that the risky behavior could cause. You are more likely to leave a diamond ring lying around if you know you will be paid back in full if it is stolen. The antidote to moral hazard is some sort of pain, shared with the insurance company, for a loss — a deductible or the possibility that your policy won’t be renewed at the same premium, if at all.

Another objection I have heard is that businesses will put in place only those cyber protections that the insurance companies require; that is, the bar will be too low. Currently, however, the bar is non-existent, and it is more likely that protective requirements will be more adaptive to today’s needs and technology if they are set by insurance firms (with an urgent financial interest) than by the only alternative, which is slow-moving government.

Cyber insurance can provide the incentives that are critically needed to boost security. In general, insurance markets work extremely well, and cyber insurance shouldn’t be different from others as it matures. But it’s going to have to mature quickly. The losses are rising.

 
Πηγή: TechPolicyDaily

Κατηγορία

Σχετικά Άρθρα