Cybersecurity Insurance

Good article about how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is.

Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years' worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk.

"Typically in insurance we use the past as prediction for the future, and in cyber that's very difficult to do because no two incidents are alike," said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors.

In my new book -- out in September -- I write:

There are challenges to creating these new insurance products. There are two basic models for insurance. There's the fire model, where individual houses catch on fire at a fairly steady rate, and the insurance industry can calculate premiums based on that rate. And there's the flood model, where an infrequent large-scale event affects large numbers of people -- but again at a fairly steady rate. Internet+ insurance is complicated because it follows neither of those models but instead has aspects of both: individuals are hacked at a steady (albeit increasing) rate, while class breaks and massive data breaches affect lots of people at once. Also, the constantly changing technology landscape makes it difficult to gather and analyze the historical data necessary to calculate premiums.

BoingBoing article.

Posted on April 12, 2018 at 6:36 AM • 22 Comments

Comments

HumdeeApril 12, 2018 9:20 AM

It seems to me at first blush that this represent a basic conflict between the function of insurance and the function of technology. The purpose of insurance is to bring stability to commerce, it is in essence a form of forced saving for the proverbial rainy day. On the other hand, technology is disruptive, technological innovation is based upon upending the status quo. So I don't see how these two can exist in anything other than, at best, an uneasy alliance.

jeffpApril 12, 2018 9:38 AM

> because no two incidents are alike
Maybe on the *surface* they look different. I was looking at 20 year old articles from the">https://catless.ncl.ac.uk/Risks/">the Risks Digest and the articles sure look like what we're discussing today, buffer overflows, default (or no) passwords, etc.

Impossibly StupidApril 12, 2018 10:17 AM

I think the main problem with insurance is that it is meant for infrequent events. That's why it's essentially impossible to get flood insurance in a flood plain. That's the same reason it's a poor model for things like long-term health care, but appropriate for things like rare/emergency medical issues.

Security is fundamentally a constant process, so insurance isn't the right fit. It might make sense to try to insure against specific events (hacks, data theft), but the only real way to do that would be for actuaries to have extraordinary access to all the underlying hardware and software, and understand it to such an extent that they can predict how likely a security incident is. I'm not sure that can be done profitably.

echoApril 12, 2018 2:11 PM

I wonder if the American insurance industry is overcomplicating things. (I have no idea what the UK insurance industry position is.) Perhaps a formula like (processor speed * datasize / people with access) would be a good enough metric and just rank insurance into groups like cars?

Erik CarlseenApril 12, 2018 2:36 PM

There are several fundamental problems and notions outlined by the usual group of very smart commenters on this site, but I'll add some others:

1) PII loss is severely mispriced.

Right now the "accepted" (or imposed, depending on your perspective) remedy is to offer a year of free credit monitoring, which we all know is about as close to worthless as you can get without actually being worthless. The hassle and expense of banks reissuing credit cards and consumers having to deal with switching credit cards for automated payments far exceed the cost of what's being paid by the organizations that lose the data. As long as the cost for losing data is artificially low, then incentives to protect it are artificially low as well. Which brings us to...

2) It's virtually impossible to cleanly assign damages.

So much data has been leaked from so many different sources, and the criminals selling it are often intelligent enough to mix things up enough to disguise its origins. And, of course, under the current systems it's virtually impossible to link a specific case of abuse back through the chain of miscreants who (mis)handled and sold, re-sold, etc. the information. Even if it was possible, it would not be even remotely cost-effective to do so. So perhaps we need to create some sort of default tort for leaking data, even if its abuse can't be proven.

3) Some of these problems are temporary, and some are not. In the long run, we'll miss the good old days of "mere" credit card fraud.

Credit card payments are becoming tokenized driven by companies like Apple and Google, which will make credit card fraud far more difficult. Other things, like Medical PII, info used for credit application and tax return fraud, etc. will become more valuable and more highly targeted. And you can't change your medical PII (until we can buy new bodies and transfer into them), and it's very difficult to change other things like your address or government ID numbers (driver's license and social security in the US). These require more effort to exploit, but the potential gains are much higher. Eventually automation will become more prevalent here as it is with credit card fraud, and that will make things very difficult to remedy.

4) Third-party certification of best practices will close some gaps.

Some organizations like PCI do a semi-decent job of this (about as good as can be expected from organizations of their type), but we really need to have a variety of certifications and let the market sort out which ones are meaningful. Legislative / regulatory solutions are easier to enforce, but the notion of them keeping up with the times is farcical. In the long run, some certifications will have meaningful correlations with reduced data loss and some will not, and guess which ones insurers will demand?

LEAApril 12, 2018 7:45 PM

Re: insurance for "cyber"-extortion payments, is that very different from kidnapping insurance? I've heard high-profile rich people often have that, and I assume it's not based on a fire or flood model.

Then of course there are the "weird" types of insurance (that Lloyds is famous for), like when a famous person insures their voice or legs. Probably doesn't scale like insurance against internet attacks would need to.

justina.colmenaApril 12, 2018 8:05 PM

On the one hand, insurance companies don't like being ripped off, which no one can honestly blame them for, but on the other hand, they impose too many terms and conditions like you have to get a haircut or you can't have employees with tattoos or body piercings or whatever, and they just generally don't mind their own business, because they really don't have an EFFin' clue what they are insuring or what they are not insuring when a bunch of hackers hacked each others' hacked systems and shared a lot of other peoples' personal data, and that sort of thing just isn't really covered by that kind of policy, and blah blah blah....

ZaphodApril 12, 2018 8:05 PM

Re. Insurance in flood plain - lack therof. Not in the UK. The munificence of the UK government re. enforced insurance in these areas ensures flood insurance.

Of course the government has no money. Just plunders citizen’s private wealth. Nothing easier than spending other people’s money on other people

Tom BApril 13, 2018 1:38 AM

Seems diversification is the key both for customers and insurance companies. Using a diverse range of cloud platforms, hardware platforms, software platforms and services, then the consequence of a compromise on one platform is reduced. A word that springs to mind is monoculture - we should avoid monocultures - and that has obvious associations with ecology. Biological organisms diversify also using genetic diversity - perhaps that would be something to consider also in software? Slightly different variants of software components?

BobApril 13, 2018 2:03 PM

@Underwriter

Agree. Its probably for the better, I dont like what insurance has done to the health industry, or how people act differently in relation with their house or car if they have insurance. Maybe you dont want to take measures to prevent your house catching fire, maybe its not worth it, maybe your insurance will reward you better if you let the whole home burn instead of putting it out... but if the fire extends to a nearby home, then you should worry. Infosec is fully of externalities and insurance cannot take them into account.

A Nonny BunnyApril 13, 2018 3:32 PM

@Impossibly Stupid

I think the main problem with insurance is that it is meant for infrequent events. [...] That's the same reason it's a poor model for things like long-term health care, [...]
As long as long term healthcare is infrequent in the population, I think it fits.
It may not make much sense (for an insurer) to offer health insurance to someone that already needs long-term care, but it makes sense to offer it to healthy people that through an accident of fate might need long-term care in the future.

Impossibly StupidApril 13, 2018 4:10 PM

@A Nonny Bunny

As long as long term healthcare is infrequent in the population, I think it fits.

I was referring to the "regular" health care measures that everyone uses frequently over the course of their life: flu shots, eye exams, dental checkups, etc. Accidents or illnesses that result in the need for life-long care are, of course, exactly the kinds of rare events that insurance can/should be used to cover.

justina.colmenaApril 13, 2018 8:57 PM

@Underwriter: Insurance always struck me as a mob thing.
@Bob: I dont like what insurance has done to the health industry,

The health industry ruined itself on its own long before insurers deigned to offer coverage for the medical quackery they offer. The 1920s, the days of Al Capone, were notorious for various medicines, some quite dangerous, even radioactive, sold over-the-counter, various patent medicines, alcoholic cures, and narcotic or opium medications for some bizarre purported purpose. It was Prohibition. You needed a doctor's prescription for alcohol. To this day they prescribe marijuana, amphetamines, benzodiazepines, opiates, etc., etc. on various medical or "mental health" pretenses.

It is truly medieval. Bedlam in London, England in the Dark Ages.

They commit the crime of mayhem, that is, to maim someone. They cut out reproductive organs, teeth, tonsils, limbs, eyes, and other organs unnecessarily, and force their patients to be dependent on some form disability income.

To this day, crooked fraternizing lawyers downgrade mayhem to a misdemeanor, excuse the crime entirely, or chalk it up to vanity as "malicious disfigurement."

AlApril 14, 2018 1:09 AM

Insurance is in some ways like investing in the stock market.

If there is uncertainty, then the price needs to account for the uncertainty.

For health insurance, my employer is self-insured. With a population in the several 10,000's they know how much cancer, heart attack, etc to expect. (I read that only about 5,000 employees are needed to make self-insurance viable.) And in health, just like individual policies, there are high deductible plans for smaller businesses, like a $10,000,000 deductible, so smaller businesses can be self insured like bigger businesses without the worry of bankruptcy.

Where's the predictability in cyber-insurance? Between patching, internet access by employees, USB devices, etc, how does an insurer price it? We have Microsoft liking the rendering of fonts in kernel mode. I wouldn't want to insure this S#!t.

Five years out from now, maybe insurance would be cheaper because claims would be more predictable.

RealFakeNewsApril 14, 2018 1:10 AM

The problem I see with this is quantifying the damage.

Much data has already been lost already, and gas already been mentioned, the criminals that take it amass the newly stolen data with the existing stolen data. I'll bet in many cases there is much overlap (name, address, e-mail address, etc), so they may not actually gain any new data from any particular data breach.

The breaches that matter most relate to financial data, because in the end, most of cybercrime's end goal is the extraction of money. They don't care how or who from.

IMHO data breaches aren't treated severely enough in terms of the fact they happen, but at the same time the actual harm is ... what?

I think this is one reason this topic always hits the same walls - given so much data has by now been lost, and the fact the criminals are pretty organized with the data, we don't actually see much in the way of negative effects.

ID theft is hard, because it requires someone to assume someone else's identity. The same person can't use multiple identities in the same geographic region because they would eventually get recognized. It is self-limiting.

Stolen financial data only works for the duration it is valid. Once it is spotted, it is changed, and no longer functional. Expiry dates on cards further limits the utility of such data. Additional measures such as monitoring geographic regiona transaction was conducted in helps to reduce or eliminate the problem.

I think this is why we struggle with it.

A company could be working on a secret project, and a rival might want to steal it. This is a quantifiable scenario, with mitigations that can be spelled out. If done right, there is no problem. The risk becomes more conventional (insider; requires physical access to steal data/information).

Profiling, or behavioral analytics are more concerning, or where data is used to identify one or a group of people. Also location data is highly sensitive, especially if it is real-time, or can be used to determine patterns.

The question shouldn't be: how do we deal with data theft (IMHO that is easy to answer: sanitize it, and take it offline). The question should be: what threat model as a result of its mis-use are we dealing with?

DavidApril 14, 2018 6:20 AM

"...how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is."

Huh? Why don't the insurance MBA scumbags do it like the health insurance goons do: When something catastrophic and costly happens, refuse to pay citing some illegible fine print and/or claim something else was a non-disclosed causative pre-condition. The claimant can't sue you because you took that right away in another fine print arbitration clause that also gives you the insurer the sole right to name the arbiter. What's that you say? The claimant will go public with the case as a last resort? No he won't. There's an air-tight non-disclosure clause (more fine print). So even if the claimant does go public, he'll end up paying you the insurance company (or worse he'll end-up in jail).

BobApril 14, 2018 12:42 PM

@justina

I myself was cut some other organ unnecessarily, but I'm not talking about poorly educated doctors or how fucked up the pharmaceutical industry is. Let me guide you with examples: All the people I know who have health insurance, including me, pay at least ten times more of what they consume in health services... in the HOPE that they will have a big accident or get diagnosed with a serious illness for it to become worth it. But first, the insurance business is VERY profiting, the obvious reason is that the probability of the insured getting their moneys worth is VERY low. And second, that if they want out, they can't. In some countries you are legally forced to be insured and most everywhere else, due to market forces, insurance made paying for health services yourself ridiculously expensive. I believe all of these problems could be taken to the realm of infosec if insurance would take place there too.

AdamApril 15, 2018 11:04 AM

There's a downside to such insurance products. If insurance reduces the expected cost of security lapses, companies will have lower incentives to secure their networks.

Driveby IdealogueApril 15, 2018 7:45 PM

But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments,

When did negotiating with terrorists become a viable tactic? Quit being lazy about your (offsite) backups or be punished accordingly. What dataset exactly can a criminal who has just victimized you sell to you in a transaction that would be a net benefit for you? I guess sometimes getting something back from a thief that appears to be what they stole from you might be valuable. But me, I'll stick to my offsite backups and not negotiating with terrorists until there is a literal gun pointing at me.

Tom LeMay 29, 2018 5:22 PM

I think the main problem with insurance is that it is meant for infrequent events. That's why it's essentially impossible to get flood insurance in a flood plain.

This is a common myth. You can certainly get insurance even if you live in a floodplain. If you live in a 100-year floodpain, it just means that you have a 1% chance of a flood in any given year. And even if that 1% hits, the probability and extent of damage varies and that cost can be spread out over the class of insured homes.

In fact, premiums in high risk areas run at approximately 1% of the cost of the house. Federal statistics show that homes in high-risk flood areas have 25% rate of flooding during a 30-year mortgage. These numbers all fall well within the ability of insurance to provide protection.

WeatherJuly 31, 2018 6:35 AM

True that, but it's one big fucking mess, and no I just can't go see a mental health worker

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.