SUMMARY

Cyber threats pose a risk to organizations of all sizes and risk profiles. Small- and medium-sized enterprises (SMEs) and state, local, tribal, and territorial (SLTT) governments in particular face a unique set of challenges. SMEs and SLTTs may not understand the full extent of their exposure to cyber risk, may have less access to resources to protect themselves, or may not be prepared to defend themselves against attacks and respond should one occur.

Rather than relying solely on regulation like mandates and standards, market-based solutions could be another pathway towards helping to protect these vulnerable entities from costly cyber attacks. In particular, policymakers, business owners, and cybersecurity professionals alike have long envisioned cyber insurance as one such mechanism to improve general ecosystem-level security. While cyber insurance has become more common, most policies currently encourage consequence-management, rather than pre-breach cyber hygiene and resilience. Further, whereas most Fortune 500 companies hold cyber insurance policies, many SMEs and SLTTs have yet to obtain cyber insurance.

This paper examines the strategic potential of cyber insurers, who ultimately share a long-term goal with policyholders: reducing the impact and frequency of cyber incidents. Insurers also stand to gain from the unique access they have to breach data—in fact, they are one of the few actors in the ecosystem who can have visibility into and interpret the ways in which security controls impact security outcomes, namely through cyber insurance claims. 

The report identifies requirements- and incentives-based approaches to strengthening security through insurance, focusing in particular on pre-breach security. It zeroes in on bundling as one incentive-based pathway toward enabling cyber resilience. Right now, traditional insurance policies can only provide reduced premiums at the time of underwriting or during the renewal process. A bundled security and insurance package might incorporate discounts or rebates into the security service, rewarding best practices or adoption of new cybersecurity systems over time. Bundling could also be uniquely tailored to the needs and risk profile of a specific company, such as an SME that may not qualify for security services from large vendors and could benefit from a security product or service that helps them to bolster their cybersecurity.

Thus far, bundling is not a prominent feature of the cyber insurance market, in part because the ecosystem is dominated by traditional insurance practices and hampered by an opaque regulatory regime. Bundling does raise important concerns around insolvency, risk visibility and pricing, anti-competitive behavior, and conflicts of interest from business-to-business relationships. This paper examines each concern in turn, assessing the potential benefits and drawbacks of expanding the practice across the market. While these issues must be handled carefully, the insurance market has developed a robust set of tools–including prudential regulations and disclosure obligations—that can, if implemented correctly, help mitigate these concerns. 

Ultimately, the report concludes with three main recommendations: 

1. Regulators and policymakers should encourage cyber insurers to present policyholders with more proactive pre-breach risk mitigation tools and strategies, including by bundling insurance with security products and services; 

2. Researchers should conduct additional analysis to improve the understanding of bundling as a model, take a deep dive into a select few firms that offer bundled services and a few insured SMEs or SLTTs that have taken up those services, and explore why more firms do not; and 

3. Researchers should compare outcomes between states that allow bundling, and states that do not. 

While more investigation is needed, this report concludes that bundling is an important tool that should be considered in the cyber insurance market.