A Framework for Cyber Security Insurance

New paper: "Policy measures and cyber insurance: a framework," by Daniel Woods and Andrew Simpson, Journal of Cyber Policy, 2017.

Abstract: The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public­-private partnership. This paper rectifies this omission and presents a framework to help underpin such a partnership, giving particular consideration to possible government interventions that might affect the cyber insurance market. We have undertaken a qualitative analysis of reports published by policy-making institutions and organisations working in the cyber insurance domain; we have also conducted interviews with cyber insurance professionals. Together, these constitute a stakeholder analysis upon which we build our framework. In addition, we present a research roadmap to demonstrate how the ideas described might be taken forward.

Posted on August 30, 2017 at 1:22 PM • 10 Comments

Comments

Chairman MaoAugust 30, 2017 4:03 PM

Yet again, bankers seeking the rentista.

FYI, I know of a company that sells a "spyware" device that Snorts up all your DMZ and internal network data. In the event you don't buy another policy, they turn the data over to anyone -- including attorneys to sue you.

The data gets stored stuffed into an internet-connected database located with a friend of the insurance company(ies).

The device/system uses a classic MITM setup.

No kidding.

Why hire an insurance company to "protect" you when their means of protection is Snort-based spyware?

de La BoetieAugust 30, 2017 4:17 PM

Definitions:

"public–private partnership" - stitch-up of consumers, public and users.
"stakeholders" - anyone other than consumers, public and users.

One thing I find puzzling about this proposition is that there the presumption that there is something significant to insure. In order to insure, there has to be liability for cybersecurity, and apart from transitory reputational problems, in most cases there is no liability or it's nugatory - or companies and their directors are absolved from what would in any other situation be deemed negligence.

Chairman MaoAugust 30, 2017 4:36 PM

One thing I find puzzling...something significant to insure."

The key to understanding the racketeer's proposition is simple in

4.6. Catastrophic loss

4.6.1.
Government to act as insurer of last resorts [EU1, UK1, US1]

It means they get to collect the premium and never pay a claim.

It's about writing derivatives against mortgaged data.

DroneAugust 30, 2017 11:50 PM

"The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers."

Yes of-course, "beneficial for both insurers and policy-makers". THAT'S STATING THE OBVIOUS!

The REAL QUESTION is: Does the presence of Insurers in the IT Industry benefit the Consumers?

I think NOT! Take the credit card industry for-example:

The card companies are insured against large security breeches, but they still diligently do all they can to prevent them. This not only keeps their insurance premiums down, it protects them against something no insurance policy can cover, bad publicity and all the mistrust it breeds. In this case the insurance policy is a good thing.

On the other hand...

Having an insurance policy against catastrophic security events actually REMOVES incentive for the card companies to improve security at ALL levels. As a result, everyday run-rate IT security is almost ignored by the card companies, and the losses that result are simply passed on to the card-holders as a group.

Because these run-rate breeches are so unpredictable in nature and difficult to defend against, the insurers have no incentive to write policies against them, so they simply set higher deductible thresholds.

Even if the run-rate losses were insured, it would only make the situation worse. The run-rate nature of the losses causes the insurance premiums to always be higher than the losses covered. In other words; there would be no Risk Value in the insurance coverage. So once-again, the even higher premium costs would simply be passed-on to the card-holders.

The Solution(?):

As much as I am against Government intervention, what may be needed here is legislation that prevents the card companies from passing on the cost of run-rate losses due to lax security on to the consumers. As long as these run-rate losses due lax security practices directly hit the card company's bottom line, the company will be motivated to be more responsible when it comes to security. But wait, there's more...

Enforcement would be via third-party audit with Government oversight. Certified audit services will be procured from the free market, not conducted by the Government. Standardized and normalized audit results will be made publicly available by company name. The open audit results will work as yet another incentive to make the card companies act responsibly when it comes to security - at ALL levels.

WinterAugust 31, 2017 3:35 AM

@Previous Commenters
"The REAL QUESTION is: Does the presence of Insurers in the IT Industry benefit the Consumers?"

It is appalling to see how much distrust is harbored by the commenters here, as well as a lot of conspiracy theories. It would be good for these people to read Trust the social virtues and the creation of prosperity by Francis Fukuyama

https://www.foreignaffairs.com/reviews/capsule-review/1996-03-01/trust-social-virtues-and-creation-prosperity
(see also: https://www.imf.org/external/pubs/ft/seminar/1999/reforms/fukuyama.htm )

Except for genocide, nothing can destroy a society more thoroughly than the loss of mutual trust. We see this unfold at this very moment in the US (I am still undecided of who is worse in this respect, the Donald or Texas Ted).

As for insurance, that is simply a very important prerequisite for economic development. Modern market economics started in the Netherlands and the UK with the advent of insurance and stock markets. No insurance, stilted development.

Insurance Development and Economic Growth
https://link.springer.com/article/10.1057/gpp.2010.4

keinerAugust 31, 2017 5:09 AM

@Winter

"As for insurance, that is simply a very important prerequisite for economic development."

Totally agree, but insurance was invented to mutually limit risks of life, not as a 10-billion-a-year-profit cash-cow for greedy big money.

"Ergebnis vor Ertragssteuern"

https://www.allianz.com/de/investor_relations/ergebnisse-berichte/bilanz-guv/

(...so these 10 billion are only the part of the money they REAL found no way to hide it from the tax authorities)

And btw stealing a good part of this from their own employees (scandal Allianz and pensions for their insurance agents, google it...).

So who has to take for restoring trust? Not the idi*tz paying their insurance premiums always on time, but left alone in the rain in case something happenz.... ***end of rant***

SCNR

de La BoetieAugust 31, 2017 5:29 AM

@winter - the loss of trust is indeed appalling, damaging, disastrous. Even more appalling is that that loss of trust is objectively justified, no?

Insurance is a class of rent-seeking/risk mitigation, not primary wealth creation. One which might indeed have a positive economic impact IF risk were indeed properly distributed. But specifically, we have the situation where the risk is improperly laid on the consumer and public with no representation, while those making money do not take the risk and head off into the sunset with their bonuses intact.

Joe KokomoAugust 31, 2017 6:32 AM

It's a rather deep topic, however there are advocates of declaring cyber data as tangible property which would make it much easier to understand and protect.

For example see: https://www.irmi.com/articles/expert-commentary/is-computer-data-tangible-property-or-subject-to-physical-loss-or-damage-part-2/


Also, the ability to insure digital data would become much easier if data was deemed tangible as methods for valuing and insuring property are well established. The value of your disk drive data could be valued like a car, for example.

I don't think this will ever happen however as the corporations and governments have too much to lose if people and businesses could lawfully protect data and make it expensive to lose or misuse it.

Chairman MaoAugust 31, 2017 9:17 AM

@Joe Kokomo

Insurance is a class of rent-seeking/risk mitigation, not primary wealth creation. One which might indeed have a positive economic impact IF risk were indeed properly distributed. But specifically, we have the situation where the risk is improperly laid on the consumer and public with no representation, while those making money do not take the risk and head off into the sunset with their bonuses intact.

Insurance is "pay me this amount now" (the insurer) and "I'll pay you later if I feel like it and I get to choose how much I pay." (insured).

If you don't accept what I offer you as settlement, you can hire a lawyer and sue me for the next 5 years.

By the way, while you sue, you must still pay me.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.