Last month I attended the annual New York Advisen Cyber Security Conference. The event which this year had over 900 attendees is frequented by insurance representatives, brokers, risk managers and, yes, a handful of lawyers, all of whom work in the cyber and cyber insurance space. Its probably the premier conference of its kind.
It’s funny. I’ve been attending this conference for about 5 years. When I first started coming, the conferance was all about sales, marketing and underwriting. I remember sitting at a table my first year having lunch with a handful of 20 something underwriters who were gushing over their new insurance product called cyber insurance. They trumpeted the freedoms the lack of forms provided and how they could even make up policy language as they went along. When I spoke up and said what about future claims, it was as if I was speaking in a foreign language: they were completely baffled.
Fast forward 5 years. The theme of this year’s Conference was “Solving The Cyber Risk Equation”. The Conference was devoted primarily if not exclusively to what to do about claims and the enormous and uncertain risk cyber poses under the policies. Things have a way of evolving along a natural course.
The good news is that the attendees and speakers have become much more sophisticated about exactly what carriers are getting into when they write cyber policies and what kinds of risk they are biting off. They are also beginning to look long and hard at the future and the problems and issues that the proliferation of data through the internet of things and data analytics may pose for all insurance- not just cyber.
The Conference kicked off with a Keynote address by Adm. Michael Rogers, Director of the National Security Agency. Director Rogers talked about his view of the cyber landscape and the threats. He made the point that cyber carriers and, for that matter, society as a whole are dealing with a highly fluid and ever changing cyber threat where past data does not correlate well with future outcomes. In short, a potential insuring nightmare. But Director Roger’s other conclusion: cyber insurance is in a unique position to strengthen cyber security practices of insureds by incentivizing sound cyber practices.
This all sounded well and good. But as the day went on, what this may actually mean practically has a potential dark side that may or may not be acceptable to society.
For example, Nicole Eagen of Darktrace, a cyber security analytics firm, noted in her panel presentation that many cyber attacks occur due to human missteps and errors. According to Eagen, we now have the ability, though, through artificial intelligence and data analytics to take a virtual look at a company’s employees, and determine from that look what is normal behavior for each of them. Analytics can then figure out when those employees aren’t acting consistent with their norm. This then could signal actions that decrease cyber risk and steps to stop improper behavior before it causes harm. That in and of itself is kind of spooky. How much do we really want our employers monitoring our every step and labeling what we do normal or abnormal?
But what happens when insurance becomes involved. Should insurance carriers who insure against cyber risk have access to this data? Should they insist on having it? That would certainly enable a carrier to put into place protections to reduce the risk of data breach. And what if a carrier offered a premium discount to a business that allowed this kind of access
? Most businesses would jump I think at the chance to in essence sell their employees’ information in exchange for reduced premiums and better protection.
Mark Jenkins of PaloAlto Networks, a cybersecurity protection and detection firm, kicked off the next panel and raised the possibility that a carrier could use data collected from IoT devices to make real time algorithmic decisions about coverages and premiums. Jenkins laid out a hypothetical where data collected by your auto and communicated to your carrier would signal if you were driving too fast too long. Or the auto data could show you frequented areas of town where the risks of accidents or theft were high. Your carrier could then use this data to make real time adjustments to your premium based on your behavior. Mark thinks this not that far off.
These ideas did not go without push back however. In the same panel, Adam Cottini of Arthur Gallagher, an insurance brokerage firm, pushed back and asked is this something we really want? Do we as a society and as insuring consumers really want to give up our privacy and allow our carrier to know where we go and how fast for this kind of monitoring and decision making? He thought many would not. And later in the day, Shiraz Saeed of Starr Insurance raised the same issue: “you have to have some level of anonymity in this country. Our Constitution guarantees it. We have all made mistakes in life we would just as soon not everyone know about.”
“You have to have some level of anonymity in this country. Our Constitution guarantees it. We have all made mistakes in life we would just as soon not everyone know about.”
So the day quickly morphed from a cyber insurance conference to, in part, a philosophical debate about whether insurance companies should have and use analytical tools to reduce risk and premium or whether that so far invades basic human privacy to be unacceptable. And it raises related questions of who owns data, what is it value and who controls it. I Kathleen Dooley, GC of , a company whose mission is to use the block chain to enable consumers to make decisions about their health data such as who can access it and to even sell it if the so desire. Dooley made the point that personal health data is property and we have certain inherent rights with respect to it.
I actually predicted many of these very issues in a Implicit in my analysis is that my tooth brushing data does have value-I can trade it for reduced premium.. In particular, I was interested in how business and insurance carriers could use data to reduce costs to all. I focused, for example, on a new electric toothbrush that would communicate to your dentist how often you brushed your teeth. I postulated that this same information could be communicated to your health care provider who could in real time change your premium. Would that change behavior? It would mine. Do I really want Delta Dental to know this? Depends I suppose on what its worth-how much would I save?
My guess is that people and businesses will elect to buy cheaper insurance if all it means is giving up some level of privacy. Indeed, we make this election every day
My guess is that people and businesses will elect to buy cheaper insurance if all it means is giving up some level of privacy. Indeed, we make this election every day. (How many of us trade privacy for the communication abilities offered by Facebook in order to get that free service?). Meaning that we will make choices based on the implicit monetary value of our data. Looking at how we have willingly, consistently and even happily given up privacy rights for convenience and cost, its inevitable this is where we are headed.
But this isn’t all bad. If my insurance company monitoring my teeth brushing habits means I will brush my teeth more, have less cavities and be more healthy in the end so much the better. The fact that insurance pays for filling my cavities doesn’t make going through the process any less an ordeal.