Insurance may be the hero the cybersecurity industry needs

When it comes to cybersecurity, there is no doubt about the importance of “security by default.” This approach ensures users of products are protected against the most prevalent threats without having to take any special measures. Delivering security by default across the board does, however, present challenges. Product cost and innovation speed, for example, can be put under pressure.

The good news is that the enforcement of security by default does not need to be ubiquitous to be effective. A handful of mature products create the majority of cyber risk, with diminishing returns on innovation.

Enforcing security by default standards may, surprisingly, not end up falling to the government. In fact, when it comes to enforcing the utmost cybersecurity protections, the insurance industry may be an unsung hero.

Governments are actually more likely to selectively adopt insurance standards and make them into compliance requirements, and to protect consumers from incurring the full costs of compliance.

When software began to power business activity almost 30 years ago, cyber risk was very low, and every new version created huge functional gains — so it made sense to prioritize fast innovation cycles above all else. Software always “barely worked”, and the risk associated with broken technology has almost entirely been assumed by the buyer.

This approach no longer serves, with cybercrime and insecurity reported among the top 10 global risks in 2023, according to the World Economic Forum. Much of today’s business software is mature. New versions offer marginal improvements to productivity, while often creating critical vulnerabilities that affect billions of users.

The most widely adopted software products should incur the highest standards for security. They have a very large user base and are very mature. One example: In the last five years, 50% of all ransomware attacks in the US originated from a single remote access tool (RDP), built into the Windows operating system.

This is why a pragmatic, segmented approach — one that prioritizes high security standards, by design and by default, to the most relevant software — will be much more effective at moving the needle on cyber risk compared to trying to solve the risk across the entire technology sector.

It may not be explicitly said, but software currently runs on a “use at your own risk” model. This means most tech vendors aren't accountable or liable for the consequences of the risk they create via constant software vulnerabilities. When an attacker exploits a vulnerability, the business using the software (and its insurance provider) bears the resulting financial, legal and reputational burden.

For larger enterprises with a dedicated security team that can stay current on ongoing updates and emerging vulnerabilities, the risks may be manageable. However, small and medium-sized businesses without dedicated in-house security teams and resources carry more risk, and they are often unaware of the potential catastrophic damage until it's too late.

Moreover, as malware technology has advanced, so have the security tools an organization needs to thwart those risks. These sophisticated tools are not only too expensive for most small businesses, but they require expert operators that these small businesses can’t afford to hire or rent from a managed security services firm.

The bottom line: Small businesses are experiencing a market failure in cybersecurity. They are left behind, with a complex and growing threat landscape, too-expensive tools, no accountability from tech vendors that create new holes in their security and little to no government support. This market failure isn’t going to fix itself.

Cyber insurance could be best suited to solve this problem through its singular ability to create financial incentives for security compliance that the market cannot bring about naturally.

The insurance industry has the data, expertise and motive to determine what can help reduce cyber risk to the level that it is insurable. Historically, insurance has been the de facto security moderator in every risk stack, taking on most of the burden of standardizing risk mitigation technology and processes across industries. A clear example is the enforcement of airbags installed in every car by the insurance industry, which sued the United States Federal Government in the Supreme Court to make this a requirement, despite objections from the automotive industry.

The insurance company is credible. It has money at stake, it is impartial to which security solution wins and it has data at scale — including the actual cost of a cyber incident, not just the prevalence of one. Underwriting requirements are a great compliance tool that can effectively establish a standard. Customers of high-risk or badly configured software will be “punished”, creating accountability for the choices made by the vendor. Secure software will receive premium credit and the blessing of the insurance company.

Governments can then piggyback on the work done by the insurance industry and turn these standards into compliance requirements, where applicable.

For small businesses, the insurance company can also fix the market failure that keeps software out of reach today. By bearing the risk, the insurance company has an incentive to help companies improve their security and avoid an incident. The insurance company can in some instances provide security software and operations to help lower losses among customers. Furthermore, the insurance company has an incentive to support small businesses in selecting better software and managing its configuration.

A new generation of InsurSec companies (insurance + security) could move us toward a world where strong security is the default and not the exception; where consumers aren’t responsible for the shortcomings of the software they rely on.