Forgot your password?
typodupeerror
Businesses Security The Almighty Buck News

Cyber Insurance Industry Expected To Boom 58

Posted by Soulskill
from the who-doesn't-love-new-forms-of-insurance dept.
An anonymous reader writes "The high profile hacks to Sony's systems this year were quite costly — Sony estimated losses at around $200 million. Their insurance company was quick to point out that they don't own a cyber insurance policy, so the losses won't be mitigated at all. Because of that and all the other notable hacking incidents recently, analysts expect the cyber insurance industry to take off in the coming year. 'Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry. Cyber insurance has been around since the Clinton administration, but most companies tended to "self insure" against cyber attacks.'"
This discussion has been archived. No new comments can be posted.

Cyber Insurance Industry Expected To Boom

Comments Filter:
  • by JimCanuck (2474366) on Saturday December 24, 2011 @12:15PM (#38482288)

    More insurance policies ....

    • by magarity (164372)

      I don't think all that many will be written. Think about it: you can get car insurance (and health and life and home, etc, etc) because your car meets the local safety standards and most people aren't intentionally suicidal, therefore the insurance company can impersonally look up in its actuarial tables to find your risk. But computer systems? You'd have to be nuts - even if you had a large, competent audit team to go over all the security procedures at big corporate network X, can you 1. be certain the

      • You'd have to be nuts - even if you had a large, competent audit team to go over all the security procedures at big corporate network X

        ...you mean like a PCI audit (civilian), or a STIG inspection/audit (US gov't)? Those both involve external teams to come in periodically and check for compliance to published standards, then present plans to remedy any shortfalls, usually with a strict compliance date and re-inspection to insure it. I work in the banking industry, and I get to see the PCI audit teams yearly. I used to work for a defense contractor, and they had very similar inspections on an even tighter schedule.

        1. be certain they follow the procedures/policies

        See above. If you're big e

        • The problem is that doesn't work, so people won't bet money on it.

          There is no set of formal requirements that guarantees security. It can't be created.

          • There is no formal requirements that guarantees a drivers ability to drive a car either. Hence insurance to protect yourself from other idiots on the road.
    • Just what the world needs. More insurance policies ....

      On the other hand the insurance policies may require some reasonable IT practices. Perhaps a manager who is not so responsive to the argument "these practices are standard and recommended" will be more responsive to "failure to meet these practices will get our insurance policy canceled".

  • by Anonymous Coward on Saturday December 24, 2011 @12:16PM (#38482290)

    that produces absolutely nothing

    • It does not matter, these companies can now go tell their investors that they are "prepared" for when those evil hackers breach their security systems. Naturally, the idea that they could employ better security practices never occurs to the investors, who have been steeped in the "evil hackers are wizards who can do magic things that no ordinary person could possibly imagine" mindset.
  • Wait, what? (Score:2, Insightful)

    by Anonymous Coward

    I'm certainly not on the inside at Sony or their insurer, and I haven't reviewed any documentation on actual insurance policies in force at Sony, but isn't this the sort of situation that errors and omissions insurance [wikipedia.org] is supposed to cover?

    • I think errors and omissions only covers expensive accidental data loss, or profit losses due to down-time, but not actual theft of data. I think cyber insurance is more for protection of a system that was otherwise functioning normally but suffered losses due to deliberate, malicious break-in through unseen holes in the system's security. It wouldn't surprise me if errors and omissions policies explicitly exclude coverage of damages due to malicious hacking.

      Theft insurance is different from accident insura

  • Not going to happen (Score:4, Interesting)

    by seifried (12921) on Saturday December 24, 2011 @12:20PM (#38482324) Homepage
    The data needed to make actuarial tables isn't good enough (so you can't assess risk rates that well), and the amount of self inflicted harm (e.g. Sony) is staggering. What will happen is insurance companies will attempt to do this, claims will be filed, and denied on various grounds (some legitimate, like you did have a password on the admin account, and some less legitimate) but payout rates will be low to zero. Companies will realize that attempts to financially offset the impact of the risk isn't working (you pay the premiums but never win any claims) and eventually stop buying cyber insurance.
    • by mvar (1386987)
      My first thought was that this could be "easy money" for any company that buys such an insurance. But OTOH the insurance companies will probably want a minimum set of specifications or even access to the client's firewalls, systems etc. This is going to be interesting
      • My first thought was that this could be "easy money" for any company that buys such an insurance.

        You want me to break something else? http://www.youtube.com/watch?v=vkkM9YAJ-Ts [youtube.com]

      • by mspohr (589790)

        The way insurance companies work is to carefully write lots of fine print which limits their exposure. For instance, my home insurance policy comes with 22 pages of fine print which is can only be parsed by a lawyer after the fact. This gives them lots of outs to avoid paying a claim. I imagine that these insurance policies will also come with lots of fine print to guarantee that they won't have to pay anything significant. These policies will be a boon for the insurance companies but the insured will b

    • by timeOday (582209) on Saturday December 24, 2011 @12:43PM (#38482540)
      I agree with you on the problems, but maybe this budding industry will help standardize practices and metrics and make the IT industry more mature by quantifying risks as dollars so companies can understand them.
  • by koan (80826)

    Maybe we will get realistic numbers from these "hacking" events, now we will get what the insurance companies will actually cover which may be in line with actual losses rather than the exaggerated loss propaganda we usually hear about.

    • by koan (80826)

      OK wow... that was poorly written but you get the gist right?

      • I get the gist, but more likely we will hear this sort of state:

        Hackers attacked our security system and stole customer data. We have been partially covered by our insurance policy, but will still have to deal with a $400 trillion loss.
  • So will moving funds to cyber insurance policy help fix??

    Look at sony they cut down there Security staff right be for they got hit by the big hack and maybe if they did not make that cut then maybe the hack would not been so big.

    Lack of funds to update Security software / hardware?

    Lack of man power to have good Security?

    Lack of basic IT man power?
    some times this leads to poor Security as people / departments don't have the time to wait for IT so they some times bypass IT to get work done / have IT lower sec

    • Security requires experts with experience in the field. Security is not something you buy, it needs to be adapted to the particular needs of an organization, and it is often counter-intuitive. Worse still, after paying a lot for an expert who tells you to do things that seem weird and not what you were expecting, you have no way to tell whether or not the security policy accomplished anything at all. Insurance is cheaper, and it is something your investors and board members can understand.
      • by Hentes (2461350)

        Worse still, after paying a lot for an expert who tells you to do things that seem weird and not what you were expecting, you have no way to tell whether or not the security policy accomplished anything at all.

        Sure you can. Hire a whitehat. Security, like everything in IT, needs to be tested.

  • Maybe this will introduce standards for coding that the insurance industry can live with.

    UL listed code?
    • by Anonymous Coward

      My experience in this kind of thing was:
      1. The Companies lenders/insurance company demand some type of certification of acceptable standards.
      2. Software suppliers/consulting companies begin to offer said certification.
      3. Obtaining said certification requires large purchases of software suppliers

    • by Lehk228 (705449)
      Everything will have to be done in python or perl
    • by geekmux (1040042)

      Maybe this will introduce standards for coding that the insurance industry can live with. UL listed code?

      The "1,000 ways to skin a cat" analogy barely touches the surface of available options to code a solution in software.

      Good luck getting someo...er, anyone, to agree to a "standard" in there.

    • This might be too optimistic, but it may encourage more open-source software. Problems due to in-house proprietary solutions that do not follow proper coding standards, and are not peer reviewed by the hacking-community at large may well be identified as a major risk and drive-up the cost of non-open code, encouraging more code to be opened.

      Or it will just wind-up creating a huge racket for proprietary solutions, only benefiting huge companies with lots of capital that can afford the huge cost of developing

  • by sehlat (180760) on Saturday December 24, 2011 @12:41PM (#38482522)

    Insurance companies are notorious for avoiding risky customers, if not outright persecuting them (cf. "undisclosed prior conditions" in health insurance). If a company wants to get (or keep) cyber-insurance, it's a fair bet that the insurance company will have conditions of contract which will ensure better (not necessarily best) practices for things like interfaces, coding, intrusion detection, etc. that will minimize THEIR losses in event of a breach. The overall effect will be to make good security/coding/etc. practices actually cheaper than the amateurish "self-insurance" companies like Sony have practiced.

    Hi. I'm Bob, and I'll be your Code Review Actuary. If you pass, your premiums will drop by about ten percent.

    • Or the policy will only cover a certain maximum amount of loss, certain kinds of security breaches, etc. Why spend the money auditing when you can just not spend money and not pay out when a company is attacked?
      • by artor3 (1344997)

        Because your would-be clients have armies of lawyers to dig through any proposed contracts and make sure they're really covered. If you leave in loopholes to get out of paying, while Company X offers real coverage with audits to set the price, most customers will choose Company X ... and those that don't will next time.

        • Company X requires you to spend large sums of money to bring your security up to date, so that you can pay them for something that is far less likely to happen. Company Y with lower premiums does not, but is less likely to pay. Your investors could not care less which company you go with, as long as you maximize profits. Which would your company go with?
  • Insurance companies typically force the insured company to be proactive, i.e. start thinking about cyber-security (or fire safety, or employee driver training, etc.) *before* something catastrophic happens. Like think of how your home fire insurance rates are lower if you install an automatic sprinkler system... same idea here with cyber-security. I have no doubt that the big insurance companies will be looking closely at companies' security policies before writing them a $200-million policy.
    • Often obtrusive "security" conflicts with the prime mission of the organization, sapping morale, efficiency and innovation. e.g. TSA. Good unobtrusive security is a rare jewel.
    • by Animats (122034)

      Insurance companies typically force the insured company to be proactive, i.e. start thinking about cyber-security (or fire safety, or employee driver training, etc.) *before* something catastrophic happens.

      Yes. The company famous for that is The Hartford Steam Boiler Inspection and Insurance Company. [hsb.com] Back when steam engines were high-tech, and blew up frequently, Hartford Steam Boiler was established in 1866 to insure them. More than half the company's staff is boiler inspectors. They inspect before they issue the policy, and the policy gives them the right to inspect whenever they want to, which they do regularly. Very, very seldom does a boiler insured by Hartford Steam Boiler blow up.

      Many companies don

      • so that the works can tell management that no your plan will not work / will not pass the security plan. Also they will cover IT's ass when the CEO or other higher up's brakes the rules and there is a security leak.

        Also maybe they can say that makeing people put in 80 hours weeks is bad for good code that will pass the security plan.

  • Good (Score:5, Insightful)

    by swillden (191260) <shawn-ds@willden.org> on Saturday December 24, 2011 @01:06PM (#38482742) Homepage Journal

    Insurance companies are good at managing risk. They know how to estimate it, how to mitigate it, and how to charge for taking it on so that they don't lose money.

    Businesses are good at managing costs, so when it comes to risks like security breaches which aren't well-understood, their tendency is to accept risk in order to cut costs. Forcing them to disclose what they're doing with respect to computer security risks will prompt a lot of concern from investors who want to see the risks mitigated, which will force businesses to get insurance. That will create a booming market for the insurance industry, but it will also prompt a lot of risk mitigation -- i.e. companies starting to do what they should have been doing to begin with -- in order to keep their insurance premiums down.

    I wouldn't be surprised if there's another effect of widespread information security insurance policies: more financial liability for breaches. The combination of better-established best practices for security and the availability of deep-pockets insurance companies to sue will likely enable and motivate bigger awards. If so, more liability will further increase the attention paid to security risks. That's a good thing.

    • Re:Good (Score:5, Insightful)

      by mounthood (993037) on Saturday December 24, 2011 @01:51PM (#38483104)

      Insurance will only set the baseline standard, and will prevent further advances for the industry as a whole. Home and Car locks have been stagnant technology for 50+ years because the remaining risk is managed with insurance/laws/police. You can buy better locks and alarms, but they aren't being widely adopted because insurance (and a risk mitigation attitude) has removed the incentive.

      Twenty years from now what do we want cyber-security to look like? It should still be an ongoing effort, aggressive and widely distributed. Tying the financial costs of Sony's failure to insurance will raise their efforts to a baseline (set by insurance companies) and remove any motivation to do better. In fact, it will *prevent* Sony from doing better security, because they will need to do what the insurance companies have specified and nothing else, lest they interfere with the program specified by the the insurance companies.

      Should insurance companies dictate security? Doctors don't let them dictate treatments because health care is so important and hard to get right. Do you want insurance companies telling you which language to use, which libraries to use, how to log/audit/test/deploy etc...? The insurance companies and financial managers are there to make money, not to create new things or do things better.

  • by Anonymous Coward
    Insurance companies usually demand some risk mitigation (such as building codes or safe driving records). This could force companies to tighten up their security to lower their insurance premiums. Tightening up security to limit losses is something too immeasurable to put on the balance sheet.
  • on the road to higher priced software.... as soon as Insurance and lawyers get involved we're screwed

  • "...Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry."

    Er, could be a boon? Ah, smells more like "you grease this palm, and I'll make you billions" type of "guidance". Give me a break. It really can't get much more blatant than this, pulling yet another form of pointless "mandatory" insurance out of your ass.

    And yes, it will likely be pointless by the time you get to the fine print on paying out a half-billion dollar cyberinsurance claim.

  • The real intrusions are very hard to prove, the hacks that get discovered are the ones that couldn't manage to be subtle enough. Even if there are signs, unless it is a lulzsec-like troIl group doing it publicly the insurance company will refuse to pay. IT security insurance will just make companies overconfident and worrying even less about security, and when they get hacked they will find that the insurance company isn't paying for the huge losses as they can't be proven.

  • To show what a scam cyber insurance really is.

  • More post industrial hot air. Insurance typically sucks in 2-4x the actual loss claims paid (then think of precious high interest rate capital for years ahead), not a source of competitive growth or information, and will stifle the growth of new competitive edges. The US is toast, an economy running on empty promises and bs.
  • Just like the 'Green Jobs / Economy,' right boys? Admittedly, this might be slightly more tangible than the previous 'opportunity,' but I have my doubts.

    On a side note, what happened to investing in actual technological innovation? A little-less pie-in-the-sky, a little more our scientists have confirmed this is doable, and our engineers desperately want to build a new fab to we can retire in style in 5 years?

    Does anyone understand what I am attempting to convey here? We've gone from the poker table to the

  • Not to say there isn't room for some sort of cyber-insurance, but the whole issue with Sony was their lack of competent programmers and admins.

    Of course they go the way of wanting insurance instead of fixing the root of the problem.

    They go the route of 1lb of cure is better than 1oz of prevention, probably because it's easier to measure the effectiveness of a cure than prevention.

"Just think of a computer as hardware you can program." -- Nigel de la Tierre

Working...