Cyber Insurance Industry Expected To Boom 58
An anonymous reader writes "The high profile hacks to Sony's systems this year were quite costly — Sony estimated losses at around $200 million. Their insurance company was quick to point out that they don't own a cyber insurance policy, so the losses won't be mitigated at all. Because of that and all the other notable hacking incidents recently, analysts expect the cyber insurance industry to take off in the coming year. 'Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry. Cyber insurance has been around since the Clinton administration, but most companies tended to "self insure" against cyber attacks.'"
yet another industry (Score:3, Insightful)
that produces absolutely nothing
Wait, what? (Score:2, Insightful)
I'm certainly not on the inside at Sony or their insurer, and I haven't reviewed any documentation on actual insurance policies in force at Sony, but isn't this the sort of situation that errors and omissions insurance [wikipedia.org] is supposed to cover?
Re:yet another industry (Score:5, Insightful)
The other option, of course, is that the insurance company will mandate the better security practices, like is happening to get people out of the areas of New Orleans that are beneath sea level:
http://www.msnbc.msn.com/id/14456934/ns/business-us_business/t/many-new-orleans-cant-afford-insurance/ [msn.com]
This *might* actually improve things. (Score:3, Insightful)
Insurance companies are notorious for avoiding risky customers, if not outright persecuting them (cf. "undisclosed prior conditions" in health insurance). If a company wants to get (or keep) cyber-insurance, it's a fair bet that the insurance company will have conditions of contract which will ensure better (not necessarily best) practices for things like interfaces, coding, intrusion detection, etc. that will minimize THEIR losses in event of a breach. The overall effect will be to make good security/coding/etc. practices actually cheaper than the amateurish "self-insurance" companies like Sony have practiced.
Hi. I'm Bob, and I'll be your Code Review Actuary. If you pass, your premiums will drop by about ten percent.
Good (Score:5, Insightful)
Insurance companies are good at managing risk. They know how to estimate it, how to mitigate it, and how to charge for taking it on so that they don't lose money.
Businesses are good at managing costs, so when it comes to risks like security breaches which aren't well-understood, their tendency is to accept risk in order to cut costs. Forcing them to disclose what they're doing with respect to computer security risks will prompt a lot of concern from investors who want to see the risks mitigated, which will force businesses to get insurance. That will create a booming market for the insurance industry, but it will also prompt a lot of risk mitigation -- i.e. companies starting to do what they should have been doing to begin with -- in order to keep their insurance premiums down.
I wouldn't be surprised if there's another effect of widespread information security insurance policies: more financial liability for breaches. The combination of better-established best practices for security and the availability of deep-pockets insurance companies to sue will likely enable and motivate bigger awards. If so, more liability will further increase the attention paid to security risks. That's a good thing.
Re:Good (Score:5, Insightful)
Insurance will only set the baseline standard, and will prevent further advances for the industry as a whole. Home and Car locks have been stagnant technology for 50+ years because the remaining risk is managed with insurance/laws/police. You can buy better locks and alarms, but they aren't being widely adopted because insurance (and a risk mitigation attitude) has removed the incentive.
Twenty years from now what do we want cyber-security to look like? It should still be an ongoing effort, aggressive and widely distributed. Tying the financial costs of Sony's failure to insurance will raise their efforts to a baseline (set by insurance companies) and remove any motivation to do better. In fact, it will *prevent* Sony from doing better security, because they will need to do what the insurance companies have specified and nothing else, lest they interfere with the program specified by the the insurance companies.
Should insurance companies dictate security? Doctors don't let them dictate treatments because health care is so important and hard to get right. Do you want insurance companies telling you which language to use, which libraries to use, how to log/audit/test/deploy etc...? The insurance companies and financial managers are there to make money, not to create new things or do things better.
Home and car locks (Score:4, Insightful)
>Home and Car locks have been stagnant technology for 50+ years
What? 50 years ago you could hot-wire a car. Today we have immobilizers that won't let the engine start without cryptographic authentication.