There’s a really interesting new paper analyzing over 100 different cyber insurance policies. From the abstract:
In this research paper, we seek to answer fundamental questions concerning the current state of the cyber insurance market. Specifically, by collecting over 100 full insurance policies, we examine the composition and variation across three primary components: The coverage and exclusions of first and third party losses which define what is and is not covered; The security application questionnaires which are used to help assess an applicant’s security posture; and the rate schedules which define the algorithms used to compute premiums.
Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only 5 policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics. However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise).
In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm’s asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.
Posted on April 26, 2017 at 6:14 AM •
Good essay on the current state of cyberinsurance.
So where does that leave the growing cyber insurance industry as it tries to figure out what losses it should cover and appropriate premiums and deductibles? One implication is that the industry faces much greater challenges than trying to quantify or cover intangible—and perhaps largely imaginary—losses to brands’ reputations. In light of the evidence that these losses may be fairly short-lived, that problem pales next to the challenges of determining what should be required of the insured under such policies. Insurers—just like the rest of us—don’t have a good handle on what security practices and controls are most effective, so they don’t know what to require of their customers. If I’m going to insure you against some type of risk, I want to know that you’re taking appropriate steps to prevent that risk yourself 00 installing smoke detectors or wearing your seat belt or locking your door. Insurers require these safety measures when they can because there’s a worry that you’ll be so reliant on the insurance coverage that you’ll stop taking those necessary precautions, a phenomenon known as moral hazard. Solving the moral hazard problem for cyberinsurance requires collecting better data than we currently have on what works—and what doesn’t—to prevent security breaches.
Posted on June 16, 2014 at 1:29 PM •
This is a good development:
For years, said Ms Khudari, Kiln and many other syndicates had offered cover for data breaches, to help companies recover if attackers penetrated networks and stole customer information.
Now, she said, the same firms were seeking multi-million pound policies to help them rebuild if their computers and power-generation networks were damaged in a cyber-attack.
“They are all worried about their reliance on computer systems and how they can offset that with insurance,” she said.
Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out.
Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.
Unfortunately, said Ms Khudari, after such checks were carried out, the majority of applicants were turned away because their cyber-defences were lacking.
Insurance is an excellent pressure point to influence security.
Posted on March 12, 2014 at 12:06 PM •
Interesting This American Life show on loopholes. The first part is about getting around the Church’s ban against suicide. The second part is about an interesting insurance scheme.
Posted on November 2, 2012 at 6:37 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.