It sounds as if it was named by a 7-year-old boy and looks like a film set. Housed in a sleek black truck, IBM’s “X-Force Command Cyber Tactical Operations Center” travels from city to city, simulating the experience of falling victim to a cyberattack.
Teenagers “understand what’s going on straight away,” said Caleb Barlow, who runs the show. Board members at big companies enjoy a visit, too: “It’s so different from what they usually do.”
But their interest is not merely recreational. Companies are increasingly worried about the threats lurking in their computer systems. A survey in 2018 by KPMG and Harvey Nash, a firm of headhunters, found that only a fifth of its bosses thought their firm was well prepared for an attack.
That gloomy assessment is borne out by high-profile hacks. Such mishaps are feeding a fast-growing market for specialist cyberinsurance. Solid numbers are in short supply, but Munich Re, a reinsurer, reckons that a market that wrote $4 billion of premiums in 2018 could be writing $8 billion to $9 billion by 2020. Insurers are scrambling to hire scarce specialists.
The need for robust insurance will only grow as companies become more reliant on computers, hackers get more cunning and regulators take an increasingly dim view of lax security. But the unique nature of cyber-risks makes them hard for the insurance industry to handle. In the worst case, they could blow up the nascent market altogether.
Cybersecurity risks are inherently tricky to price. Cyber-risks are so new that insurers have only limited data, and the pace of technological change means that what they have quickly goes stale. “In a flood, we know the ways in which water can damage things,” said Shannan Fort of Aon, an insurance broker. “And that’s not likely to change in the next five to 10 years. But the way we use technology has changed fundamentally just over the past decade.”
The WannaCry malware of 2017 illustrates the point. Armed with a software vulnerability stolen from the National Security Agency, it infected a quarter of a million computers in 150 countries in just a few days. Its spread was slowed only by luck. Marcus Hutchins, a security researcher later arrested on an unrelated matter, gained access to the malware’s control system that allowed him to shut it off.
Whether the industry can figure out a way to deal with such “risk aggregation” is an open question. As one insider said, it “sort of breaks the whole concept of insurance a bit.”