The Taiwan Banker

Around 2017, fears abounded that the ‘Obamacare’ healthcare markets created several years earlier by the Affordable Care Act were on the verge of a ‘death spiral.’ The Act prohibited insurers from refusing policy applicants on the basis of pre-existing conditions. Combined with a high degree of political uncertainty, it was unclear how many insurers would continue to offer such policies. The concept of a death spiral mean that incentive effects come to dominate insurance risk accounting. As prices rise and coverage falls, less risky customers exit the market to self-insure, leaving more customers with undisclosed risks. As the ratio of revenue to payouts increases, insurers can only raise prices further, restarting the process, until they must finally exit the market due to a lack of profitable customers. Obamacare markets eventually stabilized, but the cybersecurity insurance market is currently undergoing a similar process in some respects. Coverage is decreasing, often excluding ransomware, “acts of war” (which can include any state-sponsored attack), and other highly relevant threats, even as prices explode. The application process is also growing longer, often taking half a year even after certain prerequisites have been met, and claims are increasingly being rejected for improper security procedures. Many of these growing pains are unavoidable, reflecting the underlying difficulty of evaluating cybersecurity risks, which are often globally correlated – a major difficulty for financial modelling. The insurance mechanism can improve overall standards while still allowing for private self-regulation, and a full market collapse could even impact the larger cause of private enterprise. Nevertheless, the next steps for the insurance industry are far from straightforward. Form follows function One important market dynamic does not reflect moral hazard, but rather a potentially healthy process of market development. Risk is being covered at higher levels on the insurance hierarchy. As re-insurers command increasing portions of policy revenue, insurers are almost turning into distributors rather than principals. The re-insurers themselves, meanwhile, are also increasingly cautious about the market, which lacks the kind of historical data that is otherwise typically used to underwrite insurance. Re-insurance is used when the first-level insurers find that risks are too large and abstract for them to fully grasp. According to Tom Johansmeyer, head of property claim services at the insurer Verisik, in an article in Harvard Business Review, the market would be improved through a further level of retrocession policies, funded by financed by Insurance Linked Securities (ILS). It would make sense that cybersecurity requires a relatively deep market, just as computer code itself is organized into multiple levels of abstraction. Maybe form follows function. Some of the difficulties clients are now experiencing obtaining policies in fact reflect alignment of incentives, implying that even if risk is difficult to understand, it is not a moving target. According to recent research by the research and advisory firm Forrester Research, companies with cyber insurance tend to be safer than those without. This finding reflects efforts by insurers to enforce standards on policyholders, thus reducing moral hazard, as well as a selection effect during the application process. In order words, some applicants are being rejected – but maybe insurance should be considered a status symbol rather than a right anyway, forcing applicants to first implement their own protections before relying upon outside help. Victims become criminals In the past, it was sound to assume that insurers were on the same side as policyholders, and the game was indeed fair. Lax defenses by policyholders would lead to unpredictable consequences far beyond the scope of an insurance payout, thus both parties had similar incentives. The thriving development of ransomware has however upended incentive structures. Moral hazard has become a first-order market force; payouts are not just a cost of doing business, but a direct subsidy to crime. This prospect implies that ongoing difficulties with risk modelling are indeed very deep. When creating a model of complex phenomena, one hopes that the very act of creating the model would not affect the reality being represented. The fear of misaligned incentives is compounded for rare events. It is statistically difficult to induce a priori probabilities from small sample sizes: how many lottery tickets would you need to buy before determining whether the game was fair? The situation on the horizon is indeed starting to look like a death spiral. Ransom negotiations, which are typically outsourced to specialist consultants, make a fascinating case study in market formation. Both sides of the negotiation must establish trust. The attacker must assure the victim that they will restore their files after a payment is made, which is a matter of market reputation. In fact, many do not. More surprisingly, the victim side also benefits by establishing trust with the attacker. Kurtis Minder, founder of the security company MindSense, noted that complimenting the skill of an attacker is one way to bring down ransom demands. This step can assure the attacker that the victim side shares their understanding of relevant technical systems. With market forces fully in play, victims get a real-time opportunity to choose between the interests of their attackers and their insurers, bringing moral hazard to the forefront of risk calculation. From this perspective, it is almost better (from both the private and the social perspective) for victims to be uninsured, so as not to appear able to pay. Attackers typically investigate their targets’ ability to pay ahead of time using hacked data, and will surely notice such details. A question of philosophy The situation is made worse by the Ransomware-as-a-Service (RaaS) model, a cheeky name for flourishing darkweb markets for active vulnerabilities which enable a division of labor between initial system penetration and financial exploitation. The marketization of ransomware (which has also been enabled by the broader rise of digital currencies) can ironically make risk easier to model. The accompanying incentive problems mean that such information nevertheless cannot be usefully incorporated into policy pricing. Put differently, risk has become more straightforward to calculate: it is worse. So which diagnosis is correct? Is the problem a relatively simply lack of market depth, or was insurance the wrong model to begin with? The answer goes to the heart of the philosophy of cybersecurity. The original concept of a computer virus was inspired by biology, suggesting that code could reproduce in a morally neutral fashion. Some biological viruses can even be neutral or beneficial to their host, an important aspect of evolution. Many early ‘hacktivists’ indeed thought they could make the world a better place, either by inspiring offline political changes or by acting as nascent penetration testers. The alternative concept, on the other hand, is offline transnational crime which incidentally uses the internet. It is both immoral and impractical to insure against the possibility of being convicted of a crime, thus elevating the question of identifying the criminal to paramount importance. But criminalizing ransom payment undermines rule of law itself, when doing so may be necessary in the moment in order to save businesses and even lives. Furthermore, up-to-date threat information is important for mitigation, and would become much harder for law enforcement agencies to obtain under a more adversarial relationship. Which economic force eventually comes to dominate – hierarchical abstraction or incentive structures – may help determine the future of property rights.