Insurance Companies Pushing for More Cybersecurity

This is a good development:

For years, said Ms Khudari, Kiln and many other syndicates had offered cover for data breaches, to help companies recover if attackers penetrated networks and stole customer information.

Now, she said, the same firms were seeking multi-million pound policies to help them rebuild if their computers and power-generation networks were damaged in a cyber-attack.

"They are all worried about their reliance on computer systems and how they can offset that with insurance," she said.

Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out.

Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.

Unfortunately, said Ms Khudari, after such checks were carried out, the majority of applicants were turned away because their cyber-defences were lacking.

Insurance is an excellent pressure point to influence security.

Posted on March 12, 2014 at 12:06 PM • 20 Comments

Comments

PonyAdvocateMarch 12, 2014 12:50 PM

It used to be that insurance companies had some of the finest engineering staffs of any businesses. One of the responsibilities of these engineers was to inspect the operations of insured clients, to make sure they were running as safely as possible (not out of benevolence, of course, but with a view towards minimizing claims the insurer paid). I have for years thought that a liability insurance requirement would be the most effective way to police businesses that are tempted to cut corners when it comes to operating safely, and not just with regard to cybersecurity: Any enterprise whose activities have the potential to cause harm should be required to carry adequate liability insurance from an independent carrier (no self-insurance of any kind allowed). If an enterprise fails to do so, some significant percentage of its top employees should be subject to lengthy sentences in maximum security prisons and ruinous fines to be paid from their personal assets.

CpragmanMarch 12, 2014 1:01 PM

Now if only there were an underwriter or listing agency interested in making home routers secure....

vas pupMarch 12, 2014 3:04 PM

@PonyAdvocate:
"Any enterprise whose activities have the potential to cause harm should be required to carry adequate liability insurance from an independent carrier (no self-insurance of any kind allowed)". You are absolutely right! Moreover same requirement should apply to private persons having in possession 'things' with real potential to cause harm (cars-already covered, boats, snowmobiles, planes,choppers, other transportation; firearms - not against Second Amendment, but for responsible usage/storage; dogs of particular breeds/ exotic animals/birds/reptiles/etc.
@Cpragman: may be it sounds to far, but in the past some of Fire Insurance Companies had their own Fire Depot, i.e. they had under their umbrella means to prevent and mitigate damage in the case of insurance event.
Yeah, it is easier just to collect premium, set up its level to get good profit, deny paying coverage in the harmful event rather than operate means/units/structure towards risk mitigation. This modus operandi not a silver bullet or panacea for all type on insurance, but worth consideration.
Final thought on insurance: as you as insured person should never enrich yourself by insurance compensation (purpose of insurance is to restore only!) in case of harmful event, by the same token insurance business should be non-for-profit by definition. Yeah, you still could pay fat bonuses for CEOs and top management based on results, not position (by default), but all extra profit left (after operational expanses and taxes) should go to reserves of the insurance company as guarantee of its solvency. By the way, why insurance company should not be mandatory insured by Government reinsurance Agency as Banks insured by FDIC, so insurance coverage is provided in case of the bankruptcy of insurance company (please, don't tell me "we don't need new bureaucracy". FDIC is working fine. Or we did not learn anything after latest financial crisis in banking industry, and want to remain be reactive not proactive?)

VatosMarch 12, 2014 5:58 PM

perhaps this will encourage more companies to turn on "forward secrecy" for https.

AndyMarch 12, 2014 10:25 PM

Wow, this a magnificient point of entry for the NSA. They can just embed their mole in this inusrance assessment team and learn about many unpatched routes of entry for many different compamies and services and also, with that persons intervention turn a blind eye to one or two security issues of the obscure sort for later exploitation.

Saves them the legal hassle of natonal security letters and FISA court involvement

Andrew BurdayMarch 12, 2014 10:27 PM

"see if they are doing enough to keep intruders out."

As written, this ignores an important source of risk. One of the basic hazards of writing commercial fire insurance is that the business owner might torch the establishment him/herself. I trust that the insurance companies are protecting themselves from analogous threats from inside organizations -- I would think primarily by insisting on extensive, secure logging. This would need to take account of management and employees as well as ownership, and would not be trivial. Anyhow, I hope the description given above was just carelessly incomplete.

Mike AmlingMarch 13, 2014 3:58 AM

@vas pup
"insurance business should be not-for-profit by definition"

Mutual insurance companies have no stockholders, but are owned by the insured parties. At one time, mutuals were required to have the word 'mutual' in their names, e.g. Mutual of Omaha, but I don't think that's required any more.

FluffytheObeseCatMarch 13, 2014 1:03 PM

""insurance business should be not-for-profit by definition []
Mutual insurance companies have no stockholders, but are owned by the insured parties."

Most life insurance companies in the U.S. have de-mutualized over the past 20-30 years. The legal protections and benefits for "mutuals" have lagged those of corporations. Also, it's often more difficult for C-level executives to divert company profits to themselves in a mutual company.

During the late 20th century, de-mutualization has increased in tandem with other diversions of profit towards managerial mandarins. Employees and stockholders are the net losers.

ExternalitiesMarch 14, 2014 7:10 AM

The insurance policy are only dealing with recovery of computers from
incidents. Not for externalities, like client's passwords stolen, because no
law tells otherwise :-(

"[...] the majority of applicants were turned away because their cyber-defences were lacking."

Products of this majority will have lower prices than products of the other
part of applicants: so much for insurance usefulness :-(

The fact that some members of this majority will suffer from accident will not
influence lowest prices.

BJPMarch 14, 2014 1:59 PM

I find this simply hilarious.

What exposure does a company have when ALL their data is stolen and exposed? Ignoring reputation risk for the moment, their exposure is miniscule -- "oh, we have no evidence of any problems, but here let's give everyone 1 year of free credit monitoring!" It costs them next to nothing, and criminals worth a damn will sit on stolen info for a year.

Oh, maybe a state government agency fines them a few thousand, or maybe a few hundred thousand dollars? Like when Google was bypassing Safari's do not track stuff to check user cookies? Google gave state attorneys general some pocket change, and gave users a web page about cookies.

There's no incentive for companies to secure your data when their risk is so small. There's no incentive for states to push companies to secure your data when they can build a nice slush fund by slapping companies on the wrist every now and then.

Back to reputation risk... how many people have you heard say they'll never shop at Target again? Or use Sony products? Or Neiman Marcus? Zero? Maybe a dozen? So let's call it zero reputation risk.

Great idea but dead in the water. "You'll insure me, for a hefty fee, against a tiny risk, and I have to spend more on my own procedures for the honor doing so? Thanks but no thanks!"

Alfie StewartAugust 21, 2014 7:50 AM

All it's supposed to do, is bankrupt the existing private insurance companies so they get out of the business. Then the Government can come in and "fix" things, because the public will demand some kind of insurance, and they will be the only game left in town. If you actually get some treatment in the meantime, so be it.
They have no vested interest in extending your longevity. Just the opposite, in fact, you are now simply an expense. They've got better things to do than spend money just to keep you alive longer so that they can then turn around and cut you another check next month. Gotta get those life expectancy tables down if you ever want Social Security to work. Once you stop paying income taxes, the Government has no more use for you.


Thanks,
Alfie Stewart
Motorbike Accident UK

Scott "SFITCS" FergusonAugust 21, 2014 9:19 AM

@Alfie


All it's supposed to do, is bankrupt the existing private insurance companies so they get out of the business. Then the Government can come in and "fix" things, because the public will demand some kind of insurance, and they will be the only game left in town. If you actually get some treatment in the meantime, so be it.

They have no vested interest in extending your longevity. Just the opposite, in fact, you are now simply an expense. They've got better things to do than spend money just to keep you alive longer so that they can then turn around and cut you another check next month. Gotta get those life expectancy tables down if you ever want Social Security to work. Once you stop paying income taxes, the Government has no more use for you.


That opinion runs counter to my, non-professional (I don't work on the insurance side of the business), understanding, and I would appreciate clarification. Though I understand you're in the "claims management business" - not actual insurance (which is, interestingly, kind of security related and therefore probably relevant to the forum).


  • I "thought" almost all insurance companies, private or government, relied on reinsurance, require a profit to remain viable, and that in fact there are only a handful of insurance companies fronted by a large number of resellers.

  • Profit dictates that costs should not exceed operating expenses - so paying damage compensation to insurers who shoot themselves in the foot is bad for business (not part of some conspiracy to push small insurers, who aren't actually insurers - but simply resell other insurance, out of business). Reinsurers require those companies so they can spread their risks. Governments require resellers to be able to cover the policies they issue (instead of absconding to Spain with the premiums).

  • The belief that government revenue consists soley of income tax (cough*GST/VAT/etc*cough) is erroneous. Perhaps it would be less inaccurate to say "government stops caring when you cost them nothing and cease spending money"

Kind regards

Clive RobinsonAugust 21, 2014 11:48 AM

@ Alfie,

The insurance you seem to be talking about is "health insurance" for "privatized health care" organisations not Cyber-security which is more akin to "fire risk" insurance on property.

For the record, the only people interested in promoting your longevity is you and your nearest and dearest. As far as everyone else is concerned when you cease being "economicaly productive" the sooner you are dead the better it is for them.

But it gets worse, many employers are now taking out life insurance on employees, and from their point of view the best time for you to die is as soon as they get the full benifit of the policy on you irrespective of if you are economicaly productive or not. The fact that this insurance is taken out usually without the employees knowledge or benifit to their loved ones, is seen as immoral by a number of people, especialy when some of these employers have what is seen as a poor health and safety record.

That said from an overal national perspective, whilst the Government might not want you to live to long, they don't actually want you being unhealthy as this makes you a potential disease vector or nexus who will cost the economy way way more than you could have been economicaly productive in your life. Further the way they resolve the "cutting you a cheque" issue as you should know if you are a UK resident is by increasing the age of retirement and reducing state funded pension benifits with respect to inflation.

What is not much talked about is who actually pays your pension, if you look into it, it's usually those who are actualy paying in when you are retired. This is the hidden problem of pensions that a falling birth rate is going to cause to be a real issue within a few years. You can spot those who have thought about it because they tend not to be averse to foreign migrants, especialy those who will in all probability go home as they will be zero burden on the pensions they pay into here, being foreign nationals who are non domiciled when retired. Thus what is realy scaring some Governments is EU wide transferable pension legislation that is bubbling up in EU state level discussions, which is why they want to push people into private pension schemes such that the pension hit falls on the companies not the Government tax take (though since Gordon Brown's little wease when UK Chancellor the UK Gov takes pension tax on payments into private funds).

Nick PAugust 21, 2014 1:03 PM

@ Clive

They call it "dead peasant insurance" internally. That's what court documents showed. Companies claim it's to recoup training costs. I'm sure these people cost $80,000-$2.5 million to train... In the case with $2.5 million, it was a bank employee the bank took two policies out on. The worst part is that the money never goes to the families at all, leaving them with the healthcare and funeral burden. So, in America, most people are worth more to their companies dead than alive. Strange feeling to think one's company is monitoring your health not for your well-being but to ensure its people are dying at the proper rate.

Clive RobinsonAugust 21, 2014 2:37 PM

@ Nick P,

It would appear that making money on the death of your employees has been "custom and practice" for some quite a while ago,

http://en.m.wikipedia.org/wiki/H._H._Holmes

However it appears that some of the real tax fiddles around it are getting slowly closed down in the US, though not so in other places....

In certain UK security organisations staffed by ex soldiers, kidnap insurance was sometimes called "Goat Comp" because the insurance was often paid secretly on the death or assumed death of a company employee to the company as compensation for the loss. So not paying ransom could be profitable... it was said that it originated from Margret Thatcher's policy of not paying kidnappers under any condition and went as far as prosecuting people that did...

Nick PAugust 21, 2014 8:04 PM

@ Clive Robinson

Holy crap how did I never hear of this guy before?! I don't really study serial killers much as most are just untalented, obsessive, murderous pricks. This guy, though, is like a whole bunch of Hollywood horror plots combined into one story. Plus a great conman. He seems to be the Bond villain of serial killers. Only regret is that he wasn't forced to die a slow death.

Every now and then, I think we should suspend the "cruel and unusual punishment" ban. The bar of proof would have to be extremely high, applicable only to premeditated violence, and punishment befitting the crime. So, in his case, maybe make him run around in a maze of tear gas until he suffocates. Like he did to his victims...

Clive RobinsonAugust 22, 2014 4:57 AM

@ Nick P,

I hadn't heard of him either untill a couple of years ago.

I suspect somethings are so depraved and horrific that people don't actually want to remeber or talk about them. If you look at Crippen and most other infamous killers there is something different about their stories that has a human side to it. Be it the victim, the criminal or some new way they were caught.

Holmes crimes were in effect "industrialized" and he saw his victims as a profitable product, to be processed into a commodity for which "demand outstripped supply" thus had high returns, just as it did for the "reserectionists" like Burk and Hare.

It's the simple economics but applied to the extinguishing of human life that is so chilling. It makes people realise that humans can be treated just like the live stock that we end up with on our plates, "no questions asked". And it's this

Clive RobinsonAugust 22, 2014 5:28 AM

@ Nick P,

The phone has pulled a new trick on me... I was phoned whilst typing and after ringing off I've discovered it's posted, most odd.

Anyway just to finish,

And it's this usually unstated fear that he could have been feeding human flesh into the food supply that realy creeps people out as the figures suggest he had upto 20,000lbs or ten tonnes of it to dispose off and not enough chemicals to have disolved it. Then there was the disposal of the personal effects, 200 sets of cloths, luggage etc should have caused suspicion.

It's this in built mental blanking out process that is part of the "Hawks & Doves" Bruce has not gone into. When you look around it's quite a shock to see what prospers when we don't want to think about it.

Scott "SFITCS" FergusonAugust 22, 2014 5:43 AM

@Clive Robinson


@ Nick P,

It would appear that making money on the death of your employees has been "custom and practice" for some quite a while ago,

The Devil in White City


See also B. Traven's "The Death Ship" - how ship owners would over-insure ships, staff them with the stateless, then sink them for the insurance. One of his (we don't know who "B. Traven" really was) best books.
Most people will have seen the movie "The Treasure of Sierra Mardre" - also based on one of his books. The man understood greed and murder.

Another case of multiple murders for financial gain. While the graphic details and degree of publicity make the White City story famous - for sheer numbers and emotional detachment (torture implies emotional attachment) this is truly evil. I also recall hearing of a similar Australian case. (I'd rate "Mother" Teresa highly on the scale of evil committed for gain too, knowing it's a contentious issue).

Kind regards

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.