Cyber Insurance Industry Expected To Boom 58
An anonymous reader writes "The high profile hacks to Sony's systems this year were quite costly — Sony estimated losses at around $200 million. Their insurance company was quick to point out that they don't own a cyber insurance policy, so the losses won't be mitigated at all. Because of that and all the other notable hacking incidents recently, analysts expect the cyber insurance industry to take off in the coming year. 'Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry. Cyber insurance has been around since the Clinton administration, but most companies tended to "self insure" against cyber attacks.'"
Just what the world needs (Score:3, Interesting)
More insurance policies ....
Re: (Score:2)
I don't think all that many will be written. Think about it: you can get car insurance (and health and life and home, etc, etc) because your car meets the local safety standards and most people aren't intentionally suicidal, therefore the insurance company can impersonally look up in its actuarial tables to find your risk. But computer systems? You'd have to be nuts - even if you had a large, competent audit team to go over all the security procedures at big corporate network X, can you 1. be certain the
Re: (Score:3)
You'd have to be nuts - even if you had a large, competent audit team to go over all the security procedures at big corporate network X
...you mean like a PCI audit (civilian), or a STIG inspection/audit (US gov't)? Those both involve external teams to come in periodically and check for compliance to published standards, then present plans to remedy any shortfalls, usually with a strict compliance date and re-inspection to insure it. I work in the banking industry, and I get to see the PCI audit teams yearly. I used to work for a defense contractor, and they had very similar inspections on an even tighter schedule.
1. be certain they follow the procedures/policies
See above. If you're big e
Re: (Score:2)
The problem is that doesn't work, so people won't bet money on it.
There is no set of formal requirements that guarantees security. It can't be created.
Re: (Score:1)
Standard and recommended practices (Score:2)
Just what the world needs. More insurance policies ....
On the other hand the insurance policies may require some reasonable IT practices. Perhaps a manager who is not so responsive to the argument "these practices are standard and recommended" will be more responsive to "failure to meet these practices will get our insurance policy canceled".
yet another industry (Score:3, Insightful)
that produces absolutely nothing
Re: (Score:3)
Re:yet another industry (Score:5, Insightful)
The other option, of course, is that the insurance company will mandate the better security practices, like is happening to get people out of the areas of New Orleans that are beneath sea level:
http://www.msnbc.msn.com/id/14456934/ns/business-us_business/t/many-new-orleans-cant-afford-insurance/ [msn.com]
Re: (Score:1)
Private sector regulation (Score:3)
There is precedent for companies contractually requiring better security from other companies. That's what PCI DSS is, for example. I'm no fan of "check the box" security, but it has a use in preventing obvious stupidity.
The insurance industry seems to be treating ISO 27001 as the standard to use.
Re: (Score:3)
Yeah, they tend to go for formal, third-party standards like ISO 27001 because they're trying to combine two things: 1) mandate some minimal level of non-stupidity so they're not paying out for too many stupid things; but 2) be able to argue that it's an objective, neutral test, not them capriciously denying claims just to avoid paying them out.
Wait, what? (Score:2, Insightful)
I'm certainly not on the inside at Sony or their insurer, and I haven't reviewed any documentation on actual insurance policies in force at Sony, but isn't this the sort of situation that errors and omissions insurance [wikipedia.org] is supposed to cover?
Re: (Score:1)
I think errors and omissions only covers expensive accidental data loss, or profit losses due to down-time, but not actual theft of data. I think cyber insurance is more for protection of a system that was otherwise functioning normally but suffered losses due to deliberate, malicious break-in through unseen holes in the system's security. It wouldn't surprise me if errors and omissions policies explicitly exclude coverage of damages due to malicious hacking.
Theft insurance is different from accident insura
Not going to happen (Score:4, Interesting)
Re: (Score:2)
Trading Places (Score:2)
My first thought was that this could be "easy money" for any company that buys such an insurance.
You want me to break something else? http://www.youtube.com/watch?v=vkkM9YAJ-Ts [youtube.com]
Re: (Score:2)
The way insurance companies work is to carefully write lots of fine print which limits their exposure. For instance, my home insurance policy comes with 22 pages of fine print which is can only be parsed by a lawyer after the fact. This gives them lots of outs to avoid paying a claim. I imagine that these insurance policies will also come with lots of fine print to guarantee that they won't have to pay anything significant. These policies will be a boon for the insurance companies but the insured will b
Re:Not going to happen (Score:4, Interesting)
Maybe (Score:1)
Maybe we will get realistic numbers from these "hacking" events, now we will get what the insurance companies will actually cover which may be in line with actual losses rather than the exaggerated loss propaganda we usually hear about.
Re: (Score:1)
OK wow... that was poorly written but you get the gist right?
Re: (Score:2)
Hackers attacked our security system and stole customer data. We have been partially covered by our insurance policy, but will still have to deal with a $400 trillion loss.
companies don't pay the costs of Security as it is (Score:2)
So will moving funds to cyber insurance policy help fix??
Look at sony they cut down there Security staff right be for they got hit by the big hack and maybe if they did not make that cut then maybe the hack would not been so big.
Lack of funds to update Security software / hardware?
Lack of man power to have good Security?
Lack of basic IT man power?
some times this leads to poor Security as people / departments don't have the time to wait for IT so they some times bypass IT to get work done / have IT lower sec
Security is expensive, counterintuitive, etc. (Score:2)
Re: (Score:2)
Worse still, after paying a lot for an expert who tells you to do things that seem weird and not what you were expecting, you have no way to tell whether or not the security policy accomplished anything at all.
Sure you can. Hire a whitehat. Security, like everything in IT, needs to be tested.
I'm sorry son, is this code UL listed? (Score:2)
UL listed code?
Re: (Score:1)
My experience in this kind of thing was:
1. The Companies lenders/insurance company demand some type of certification of acceptable standards.
2. Software suppliers/consulting companies begin to offer said certification.
3. Obtaining said certification requires large purchases of software suppliers
Re: (Score:2)
Re: (Score:2)
Maybe this will introduce standards for coding that the insurance industry can live with. UL listed code?
The "1,000 ways to skin a cat" analogy barely touches the surface of available options to code a solution in software.
Good luck getting someo...er, anyone, to agree to a "standard" in there.
Re: (Score:1)
This might be too optimistic, but it may encourage more open-source software. Problems due to in-house proprietary solutions that do not follow proper coding standards, and are not peer reviewed by the hacking-community at large may well be identified as a major risk and drive-up the cost of non-open code, encouraging more code to be opened.
Or it will just wind-up creating a huge racket for proprietary solutions, only benefiting huge companies with lots of capital that can afford the huge cost of developing
This *might* actually improve things. (Score:3, Insightful)
Insurance companies are notorious for avoiding risky customers, if not outright persecuting them (cf. "undisclosed prior conditions" in health insurance). If a company wants to get (or keep) cyber-insurance, it's a fair bet that the insurance company will have conditions of contract which will ensure better (not necessarily best) practices for things like interfaces, coding, intrusion detection, etc. that will minimize THEIR losses in event of a breach. The overall effect will be to make good security/coding/etc. practices actually cheaper than the amateurish "self-insurance" companies like Sony have practiced.
Hi. I'm Bob, and I'll be your Code Review Actuary. If you pass, your premiums will drop by about ten percent.
Or... (Score:2)
Re: (Score:2)
Because your would-be clients have armies of lawyers to dig through any proposed contracts and make sure they're really covered. If you leave in loopholes to get out of paying, while Company X offers real coverage with audits to set the price, most customers will choose Company X ... and those that don't will next time.
Re: (Score:2)
Not a bad thing (Score:2)
A sticky thing (Score:3)
Re: (Score:3)
Insurance companies typically force the insured company to be proactive, i.e. start thinking about cyber-security (or fire safety, or employee driver training, etc.) *before* something catastrophic happens.
Yes. The company famous for that is The Hartford Steam Boiler Inspection and Insurance Company. [hsb.com] Back when steam engines were high-tech, and blew up frequently, Hartford Steam Boiler was established in 1866 to insure them. More than half the company's staff is boiler inspectors. They inspect before they issue the policy, and the policy gives them the right to inspect whenever they want to, which they do regularly. Very, very seldom does a boiler insured by Hartford Steam Boiler blow up.
Many companies don
Unions will go a long way as well. (Score:2)
so that the works can tell management that no your plan will not work / will not pass the security plan. Also they will cover IT's ass when the CEO or other higher up's brakes the rules and there is a security leak.
Also maybe they can say that makeing people put in 80 hours weeks is bad for good code that will pass the security plan.
Good (Score:5, Insightful)
Insurance companies are good at managing risk. They know how to estimate it, how to mitigate it, and how to charge for taking it on so that they don't lose money.
Businesses are good at managing costs, so when it comes to risks like security breaches which aren't well-understood, their tendency is to accept risk in order to cut costs. Forcing them to disclose what they're doing with respect to computer security risks will prompt a lot of concern from investors who want to see the risks mitigated, which will force businesses to get insurance. That will create a booming market for the insurance industry, but it will also prompt a lot of risk mitigation -- i.e. companies starting to do what they should have been doing to begin with -- in order to keep their insurance premiums down.
I wouldn't be surprised if there's another effect of widespread information security insurance policies: more financial liability for breaches. The combination of better-established best practices for security and the availability of deep-pockets insurance companies to sue will likely enable and motivate bigger awards. If so, more liability will further increase the attention paid to security risks. That's a good thing.
Re:Good (Score:5, Insightful)
Insurance will only set the baseline standard, and will prevent further advances for the industry as a whole. Home and Car locks have been stagnant technology for 50+ years because the remaining risk is managed with insurance/laws/police. You can buy better locks and alarms, but they aren't being widely adopted because insurance (and a risk mitigation attitude) has removed the incentive.
Twenty years from now what do we want cyber-security to look like? It should still be an ongoing effort, aggressive and widely distributed. Tying the financial costs of Sony's failure to insurance will raise their efforts to a baseline (set by insurance companies) and remove any motivation to do better. In fact, it will *prevent* Sony from doing better security, because they will need to do what the insurance companies have specified and nothing else, lest they interfere with the program specified by the the insurance companies.
Should insurance companies dictate security? Doctors don't let them dictate treatments because health care is so important and hard to get right. Do you want insurance companies telling you which language to use, which libraries to use, how to log/audit/test/deploy etc...? The insurance companies and financial managers are there to make money, not to create new things or do things better.
Home and car locks (Score:4, Insightful)
>Home and Car locks have been stagnant technology for 50+ years
What? 50 years ago you could hot-wire a car. Today we have immobilizers that won't let the engine start without cryptographic authentication.
May be good (Score:1)
here we go (Score:2)
on the road to higher priced software.... as soon as Insurance and lawyers get involved we're screwed
Insurance for insurance sake. (Score:2)
"...Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry."
Er, could be a boon? Ah, smells more like "you grease this palm, and I'll make you billions" type of "guidance". Give me a break. It really can't get much more blatant than this, pulling yet another form of pointless "mandatory" insurance out of your ass.
And yes, it will likely be pointless by the time you get to the fine print on paying out a half-billion dollar cyberinsurance claim.
force BSA Auditing (Score:2)
in where each pice of software must have a software update plan.
The real intrusions can't be proven (Score:2)
The real intrusions are very hard to prove, the hacks that get discovered are the ones that couldn't manage to be subtle enough. Even if there are signs, unless it is a lulzsec-like troIl group doing it publicly the insurance company will refuse to pay. IT security insurance will just make companies overconfident and worrying even less about security, and when they get hacked they will find that the insurance company isn't paying for the huge losses as they can't be proven.
Cue hackers (Score:2)
To show what a scam cyber insurance really is.
we're toast (Score:2)
Lol (Score:2)
Just like the 'Green Jobs / Economy,' right boys? Admittedly, this might be slightly more tangible than the previous 'opportunity,' but I have my doubts.
On a side note, what happened to investing in actual technological innovation? A little-less pie-in-the-sky, a little more our scientists have confirmed this is doable, and our engineers desperately want to build a new fab to we can retire in style in 5 years?
Does anyone understand what I am attempting to convey here? We've gone from the poker table to the
A Bandaid (Score:2)
Not to say there isn't room for some sort of cyber-insurance, but the whole issue with Sony was their lack of competent programmers and admins.
Of course they go the way of wanting insurance instead of fixing the root of the problem.
They go the route of 1lb of cure is better than 1oz of prevention, probably because it's easier to measure the effectiveness of a cure than prevention.