The State of Cyberinsurance

Good essay on the current state of cyberinsurance.

So where does that leave the growing cyber insurance industry as it tries to figure out what losses it should cover and appropriate premiums and deductibles? One implication is that the industry faces much greater challenges than trying to quantify or cover intangible -- and perhaps largely imaginary -- losses to brands' reputations. In light of the evidence that these losses may be fairly short-lived, that problem pales next to the challenges of determining what should be required of the insured under such policies. Insurers -- just like the rest of us -- don't have a good handle on what security practices and controls are most effective, so they don't know what to require of their customers. If I'm going to insure you against some type of risk, I want to know that you're taking appropriate steps to prevent that risk yourself 00 installing smoke detectors or wearing your seat belt or locking your door. Insurers require these safety measures when they can because there's a worry that you'll be so reliant on the insurance coverage that you'll stop taking those necessary precautions, a phenomenon known as moral hazard. Solving the moral hazard problem for cyberinsurance requires collecting better data than we currently have on what works --and what doesn't -- to prevent security breaches.

Posted on June 16, 2014 at 1:29 PM • 20 Comments

Comments

Dave WalkerJune 16, 2014 1:54 PM

Yup, good piece.

One important thing which doesn't get quite the profile it ought to, though, is the nature of security vulnerabilities and the scope of the compromises which can result; it's not an uncommon occurrence that one minute "a reasonable percentage" of the commercial Internet is considered "reasonably secure", and the next minute a vuln is disclosed which has lots of organisations needing to rush to patch it.

Therefore, with such spikes in risk exposure, cyber-insurance isn't a game to play, until there's cyber-re-insurance to back the cyber-insurers.

The actuaries are still going to have huge headaches, as the article describes, though.

gunnarJune 16, 2014 1:56 PM

Which part was good?

" the industry faces much greater challenges than trying to quantify or cover intangible -- and perhaps largely imaginary -- losses to brands' reputations"

Imaginary? Really? Sure not every company has a valuable brand but Coca Cola sells $46B worth of sugar water every year. Its not like this is a new concept that brand matters in consumer retail. There is a whole industry devoted to figuring out how to value a brand

"Solving the moral hazard problem for cyberinsurance requires collecting better data than we currently have on what works --and what doesn't -- to prevent security breaches."

"Cyber"security itself - never mind - cybersecurity insurance is nowhere near this point. As to insurance, the way to think about cybersecurity insurance is as a specialty insurance market. If you are thinking about it like P&C then you are thinking about it the wrong way. We are not even in the same galaxy as something like that and will not be for some time.


The author confuses stock price with business value and investors with traders. One week movement of stock prices prove diddly squat. You have to look at long run cash flows, profit margins, and balance sheet to see impact. For example.

Nick PJune 16, 2014 2:10 PM

@ gunar

Good points. I also enjoyed the analysis on your blog. I've honestly wondered if companies should even worry about breach's effect on reputation as they happen so often and to so many large companies. Like malware on computers, consumers might get to the point (or be at it) where they think of the breaches as something that just happens and needs a good response. If anything, I'd pin the media coverage that exists after a breach as the main thing having an effect. That it goes away after a while would ensure the effect was short-term.

Your thoughts?

fatblokeJune 16, 2014 2:24 PM

'Cyber'insurance - Jesus wept, what else can we preposition with this stupid, idiotic and meaningless word?

With incredible quotes of billions of dollars of losses in relation to 'cyber' incidents (unquantifiable, nonsensical, "finger in the air" crap such as this: http://www.reuters.com/article/2014/06/09/us-cybersecurity-mcafee-csis-idUSKBN0EK0SV20140609) it is clearly impossible to assess risk in relation to 'cyber' from an insurance perspective & put any type of meaningful quantifiable value on it.

Two points:

1. Insurance exists to provide value for shareholders - hence the default insurance position of "deny all claims"

2. It's too easy for insurers to wheedle out of paying out on claims qv the Diginotar incident, an example of a 'claimed cyber incident' involving APT & other junk terms

GunnarJune 16, 2014 2:25 PM

@Nick P - I think we have be more specific than "businesses" for some it may not matter all that much, but if a company relies on its brand for customer retention and pricing power then acting cavalier with how it handles its end of the bargain seems like a bad idea

lisaJune 16, 2014 4:36 PM

No general purpose hardware or software (including the operating system) can be made secure!!!

There are such things are SE (Secure Elements) and HSM (Hardware Security Modules) with Common Criteria EAL 4+/5+/6+ levels of certifications on hardware and firmware. Both SE & HSM protect secret keys and data in secure storage with secure operation which is resistant to both physical and data based attacks, including fault and side channel. SE are for individual use, while HSM are for industrial/commercial use.

Remember the RSA SecurID token breach. This could have been prevented with a secure HSM (instead of insecure windows PC) costing a few thousands of dollars, to generate/provide token shared secrets during provisioning. This is nothing compared to the hundreds of millions of dollars lost by that breach.

This type of good security has been available for many years, but for some reason, people are too stupid or too negligent to implement these into critical systems.

The fact of the matter is that it is still often more cost efficient to have bad security then implement good security, since the cost of breaches are typically transferred to end-user victims.

If a bank refused to pay $$$ to use thick reinforced steel on their vaults, and used tissue paper, then they would be deemed negligent and sued into bankruptcy. But when an organization does the same with "cyber/online/cloud" and they get away scott-free with bad security.

The NSA and other organizations need to stop undermining security standards, and individuals and organizations need to be fully responsible for the full cost of security breaches, including direct and indirect costs of all victims.

Clive RobinsonJune 16, 2014 4:44 PM

@ Nick P, Gunner,

As far as reputation is concerned company execs have three worries,

1, Loss of customer confidence.
2, Loss of shareholder confidence.
3, Loss of execs reputation thus inability to move/climb.

The severity of worry being mainly in the reverse of the order given.

However it is more than reputation at stake these days, esspecialy for small companies. There is also more mportantly "compliance" or lack there of which can shut the entire company down overnight, and have execs facing criminal charges.

In the simple case a small to medium size company could find the credit card companies withdrawing their services. Whilst I'm not aware of any companies that have befallen this fate over data breachezms, we have seen the effects it's had on the likes of wikileaks and other organisations that have attracted the displeasure of the US Gov.

So when it comes to which is more of a worry I'd say compliance rather than reputation issues, which rather changes the underwriting dynamic.

StukeJune 16, 2014 4:59 PM

Cyberinsurance companies may have to become cyber insurance/security companies and provide BOTH services in order to be practical.

Bob S.June 16, 2014 5:42 PM

I read somewhere once all insurance is a racket. If you run the numbers on your own policies you would find that's very true...mostly.

BTW Target had another snafu just today...debit cards wouldn't compute.

keinerJune 17, 2014 3:05 AM

So as usual in modern (neocon capitalistic) times, the insurance company is the new church of last resort, telling you what to do and what not.

Sick, but nothing really new.

Clive RobinsonJune 17, 2014 4:22 AM

@ keiner,

What do you expect?

After all the "state" is the "insurer of last resort", and reserves the right to tell you via legislation what you can and can not do.

The Neocon ideal is for the state to diminish to nothing, or at least nothing that costs them, the reminent to be the "bread and circuses" or "sop/opiate of the mases". Thus putting "law making" into the comercial realm where the faux mantra of "market forces" can be used as smoke and mirrors to put it under the control of and for the benifit of the oligarchy, without the nusance of paying politicians off directly or indirectly would suit the Neocons well.

Bruce SchneierJune 17, 2014 5:58 AM

"I read somewhere once all insurance is a racket. If you run the numbers on your own policies you would find that's very true...mostly."

It's no more a racket than any business is. Yes, it would be cheaper in the long run to self-insure, but the whole point of insurance is to convert a variable-cost risk into a fixed-cost expense. In a great many cases, that's worth paying a premium for.

Bruce SchneierJune 17, 2014 6:00 AM

@gunnar

The author's point wasn't that the values of brands are imaginary, but that many of the supposed losses due to cyberattacks might be. That's corresponds with the data I've seen.

Oliver JonesJune 17, 2014 7:12 AM

In the medical data business, US regulations call for data spills of 500 or more persons' information to be made public, here:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

A lot of these breaches aren't the result of coordinated attacks. They're basically from carelessness masquerading as convenience.

In this field, good insurance companies can play a strong role in risk management. But the insurance premiums are quite high.

Lowell GilbertJune 17, 2014 8:53 AM

Actuarial techniques (mostly based on projecting future loss probabilities from current loss rates) really aren't set up for modeling such a moving target. Nonetheless, insurance is one of the best hopes for improving typical practice in online security, for a couple of reasons.

First, because insurance companies have a longer and broader view than do their clients. This doesn't guarantee that they'll do a better job as a result, but it does give them more incentive to figure out (and then recommend/require) the most effective practices. This is part of their core business, so they're better at keeping it in mind than are their customers, for whom it may not be viewed that way.

Secondly, because they're worried about all of their customers in parallel. They'd prefer their customers were not just secure enough to convince an attacker to go somewhere else, but to actually raise the bar on those potential attackers for actually being a threat at all.

CalumJune 17, 2014 11:01 AM

Actually, from an actuarial/modelling point of view there isn't much of a challenge in cyber-exposures (it's not really much different from the question, what if airborne Ebola?, which does keep us awake). The main issue is insufficient data for robust estimation. That said, the Lloyds syndicates are now gingerly taking on exposure on a suck-it-and-see basis.

gunnarJune 17, 2014 11:46 AM

@bruce - the author attempts to prove that cyberattacks do not matter by using stock prices which is meaningless. Price is what you pay, value is what you get. Unless you Jim Cramer, a day trader, or a mayfly then the way to tell impact is to look at the fundamentals - cash flow, margins and debt. If the first two are going down and/or the latter goes up then there is an issue, all the rest is sentiment.

BillJune 19, 2014 9:58 AM

'Whether we care about companies’ cybersecurity matters because it helps determine how much they care about cybersecurity.'

No, not really:
- Card losses are not my liability.
- While I would care about a personal data LOSS tomorrow, I don't care about their security controls today.

Behavioural economics?


Costis ToregasJune 23, 2014 5:16 PM

Look at http://www.cspri.seas.gwu.edu/uploads/2/1/3/2/21324690/cyberinsurance_paper_pdf.pdf

We have tried to at least establish a translation of values and business models between the insurance industry and the computer science discipline- very different verticals with different incentives and metrics of success.

CSPRI is planning to host a symposium spanning these two diverse disciplines later in 2014. I would love to hear expressions of interest

Thanks!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.