Analyzing Cyber Insurance Policies

There's a really interesting new paper analyzing over 100 different cyber insurance policies. From the abstract:

In this research paper, we seek to answer fundamental questions concerning the current state of the cyber insurance market. Specifically, by collecting over 100 full insurance policies, we examine the composition and variation across three primary components: The coverage and exclusions of first and third party losses which define what is and is not covered; The security application questionnaires which are used to help assess an applicant's security posture; and the rate schedules which define the algorithms used to compute premiums.

Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only 5 policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics. However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise).

In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm's asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.

Posted on April 26, 2017 at 6:14 AM • 18 Comments

Comments

ToosentsApril 26, 2017 6:57 AM

Honest financial experts will tell you all insurance is a racket. In regards to cyber-insurance, better to spend the time and money upfront to create a secure system.

What good does it do to have insurance once your system is trashed?

Obviously, or maybe not, truly critical data should be stored off line. Offline backups are a good thing, too.

EnthusiastApril 26, 2017 7:33 AM

Toosents - I'm curious; have you ever had occasion to use your home or car insurance? Do you think everyone should just keep capital on hand to deal with the odd fire, flood or other catastrophic but infrequent loss event? When the tornado takes out my house but doesn't touch my neighbor, that's what I deserve?

Just sorta surprised to hear someone say risk pooling/insurance is "all a racket". I think cyber insurancr has some issues but also has some value.

Andrew GApril 26, 2017 8:17 AM

Unfortunately the link only points to the abstract. Can anyone provide a link to the full paper, or at least a proper citation? (the "suggested citation" at the bottom of the page is a bad suggestion -- it omits the name of the journal/proceedings where the article was published!)

PeteApril 26, 2017 8:31 AM

As CIO, I've reviewed our policy. There are requirements based on the size of the organization.

We are tiny, so the requirements are basically best practices for Windows computer network.

We have 1 Windows computer for Quickbooks running inside a VM. The rest run Linux servers, with most being on a completely different network. Many of the requirements to maintain our insurance make zero sense on a Linux server network. Our people connect through a VPN, remotely. We are a virtual company with a P.O. Box as our official address.

We had the insurance because it was required by a very large client, not because it would be helpful.

OTOH, car and home insurance **is** helpful. As a child, my family was in a tornado. Our house was mostly fine, but the next door and house across the street were completely destroyed - flattened - gone. The local high school was destroyed too, BTW. My parents and older siblings pulled the families out from under the rubble. Everyone was mostly ok - just cuts and bruising. I was only 7, so just sat on our front porch with an older sister watching all this happen.
Fortunately, all my auto accidents have been minor, slow speed, events.

Clive RobinsonApril 26, 2017 9:41 AM

@ Toosents,

Honest financial experts will tell you all insurance is a racket.

As are nearly all financial products. But that is not the point, in many places employers are required to have various types of insurance by law, irespective of how much of a racket it has become.

Further shareholders in the US and other places can litigate quite successfully if a company they have shares in suffers some eventuality the company has not purchased insurance to cover, it it's available.

In this sense it's the "Best Practice" racket, where the defense has to demonstrate why it was in the shareholders interest for them not to have taken insurance cover.

Thus the ditectors of a company that the sensible thing to do is buy the cheapest cover they can and offset the cost by making savings elsewhere. Often perversely by cutting back ICT sec spending. Thus they end up with a minimal security set that will meet the insurance policy cover requirments.

Which brings us on to this,

In regards to cyber-insurance, better to spend the time and money upfront to create a secure system.

No and not just for the above reason. The simple fact is that an ICT system using commodity components and standard commercial OSs and Apps when made secure is just about unusable for many asspects of business. Thus deploying such security is "throwing away business advantage", we might not like it as security proffessionals but that's the reality of the situation like it or lump it.

The unspoken flip side of "Best Practice" is that due to commercial OSs, Apps etc it is a very very tarket rich environment, and there are nowhere near sufficient cybercriminals to exploit even a fraction of those targets.

Thus we find ourselves living inthe equivalent of a village of timber houses with thatched roofs. When lightnening strikes you have no idea where it will land. If it's your house you'd better hope your neighbours are both friendly and helpfull...

SofaApril 26, 2017 10:57 AM

Andrew G you could email any of the 4 authors listed at their contact info and request a copy. I could not find a source any other way through 2 university library resources.

-Sofa

Andrew GApril 26, 2017 1:20 PM

@Clive Robinson The metaphor of living in a village of wooden houses with thatched roofs is also apt for another reason. If your neighbor's house catches fire then yours is at risk. Attackers very commonly compromise a system in order to attack a secondary target. So having insecure systems connected to the internet creates communal risk.

Put another way, if attackers didn't have easily compromised systems to use in botnets etc. then more attackers would have a hard time of it and give up or get caught. Therefore it's in our collective best interest to develop herd immunity (to mix a metaphor).

@Sofa thanks for suggesting to email the authors, for some reason that didn't occur to me!

FellowApril 26, 2017 2:57 PM

Re: F$(% $#!+ piece of furniture

Get off that psychoanalysis couch!

Definitely not an insurable risk!

vas pupApril 26, 2017 3:42 PM

@Toosents • April 26, 2017 6:57 AM

"Honest financial experts will tell you all insurance is a racket."
Yes, as soon it is for profit company which contradicts the idea of ANY insurance as tool for restitution not profiteering.

albertApril 26, 2017 4:59 PM

There are actually some benefits from the insurance 'racket' that help everyone, even the non-insured. The heavy promotion of auto seat belts, later, air bags. The insistence on strong building codes, especially for fire safety. Ditto for aircraft construction and flight safety. How about programs to help people stop smoking, drugs, alcohol, and promote healthier eating habits.

These programs help reduce payouts, which affect their bottom line. Exactly the opposite of companies that produce products or provide services.


I haven't finished the paper, but I am interested in the future of cyber insurance. Can we ever expect CI companies to become active lobbyists for safer, enforceable security standards?

. .. . .. --- ....

My InfoApril 26, 2017 5:28 PM

@albert

How about programs to help people stop smoking, drugs, alcohol, and promote healthier eating habits.

Second-hand tobacco smoke gives me a migraine headache, and second-hand marijuana smoke makes me vomit. I hate drugs and alcohol. Unfortunately when we import our food from hostile nations it already contains drugs and sometimes alcohol. A lot of folks like it that way.

Taking drugs is a requirement especially for housing these days. You don't think that drug dealer by the corner in the neighborhood stays in business without a wink and a nod from the local police and the DEA, do you? By street law, that neighborhood drug dealer must have access to your home, to slip drugs in your food and get you hooked, or make sure you don't develop any interests or hobbies hostile to the drug trade. You have to understand that in those neighborhoods, that drug dealer is allowed to possess a firearm, but you are not.

If you're "mentally ill," you will never be approved on a regular apartment application; you must live in a "group home" where you are not allowed to lock the door or have any privacy or space or possessions of your own, and you are required to take psychotropic drugs as a condition of your residency.

Clive RobinsonApril 26, 2017 8:06 PM

@ Andrew G,

Therefore it's in our collective best interest to develop herd immunity (to mix a metaphor).

Unfortunately the simplest and most effective way to do this is for the likes of Microsoft to up their game... But that is not going to happen when their financial and possibly legal interest is otherwise.

The latest example of this is IoT, where the manufacturers appear congenitaly incapable of performing even the minimum of security best practice from four and a half decades ago.

The fact somebody has designed and released more than a couple of worms to "brick" the devices should be alerting rather more than the IoT device manufacturers to "Bad Practice". Whilst I regard any kind of vigilante activity as an illegal act I can understand why people would hail such people as heros.

The downside is of course others may decide this is the way to go with the likes of Microsoft OSs and Apps that are to be honest little better security wise. Thus every village might get raised to the ground, and then unfortunately the vigilantes will find that it is they which will get hunted down and strung up, not the likes of Microsoft executives.

Chris AbbottApril 26, 2017 8:15 PM

Speaking of insurance, liability also comes to mind. Could software vendors be held liable when they intentionally wait to fix an exploit? A must read:

http://www.reuters.com/article/us-microsoft-cyber-idUSKBN17S32G

Copied from the article:
"Microsoft Corp declined to say how long it usually takes to patch a flaw."

Can anyone guess why they would wait so long? They don't seem to have any good excuse for it. You can't help but to be suspicious and even feel paranoid when learning of something like this.

Perhaps if companies like MS get held liable for damages as a result of not fixing security flaws they knew about, we'll see things getting updated a lot more often and a lot of other changes in the whole landscape.

@albert:

Maybe a cyber insurance industry would help promote security to reduce payouts.

albertApril 27, 2017 11:19 AM

@Chris Abbott,

Security, like charity, begins at home.

The cyber insurance industry is relatively new. It took legacy insurance companies many years to realize those ideas.

Perhaps the biggest problem with cyber insurance is "how do we know our policy-holders are following best security practices?"

In addition to regulation, airline flight systems collect more data than the NSA:) Increasingly, this is being done on ground transportation systems as well.

The data cyber-insurance companies need to assess risk is 'virtual'. It can be here today and gone tomorrow. It is not tamper-proof. It is not continuously monitored and recorded. Audits are time-consuming and expensive. 'Regulation' is ineffective, if not impossible, on software systems.

@Clive,
"...Whilst I regard any kind of vigilante activity as an illegal act I can understand why people would hail such people as heros....".

It's just a permanent form of DNS:) Karma works in strange (and often illegal) ways.

There is a point at which hacking 'incidents' eventually garner some response from the powers that be. Corporations are unlikely to join together and call for regulation. Maybe they'll just get better cyber insurance, preferably paid by the taxpayers (us).

-------

. .. . .. --- ....

maxMay 2, 2017 6:47 AM

@Chris Abbott

> Can anyone guess why they would wait so long?

I would assume that by now everyone can guess why they would wait so long (hint: a big country's government).

> Perhaps if companies like MS get held liable for damages as a result of not fixing security flaws they knew about ...

This would just constitute transfer of your funds from cyber insurance to lawyers because you would have to prove that they did know about it and that it would have been within their ability to fix anything sooner than they did, etc.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.