Risk
3/26/2014
04:00 PM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Don't Put Too Much Faith in Cyberinsurance

Cyberinsurance is great for covering discrete costs like breach notifications and legal fees, but don't rely heavily on it for much else.

When contemplating threats to your organization (perhaps counting them instead of sheep while you shiver in a cold sweat on another sleepless night), you might be comforted by the thought of transferring risk to someone else -- like, for instance, a cyberinsurance provider. The trouble is that not all risks can be transferred, no matter how much you pay for a policy.

The insurance company may absorb the immediate costs associated with a data breach -- sending out notifications and the like -- but no matter how much you pay for your policy, it cannot completely absorb the damage to your company's reputation. Just because you're insured doesn't mean you won't go out of business.

The other trouble, of course, is that cyberinsurance doesn't cover all security incidents. Big data breaches get the most attention, but what about the denials of service that bring your online store down for 48 critical hours during the holiday season? What about the insider who secretly obtains broader access credentials and uses that access to embezzle money or commit corporate espionage? What about the attacks that compromise the control systems for critical physical infrastructure? Some insurers will cover those incidents, but the policies are rife with exceptions and restrictions.

According to a recent Ponemon Institute survey of security and risk professionals, most policies will pony up cash for breach notifications, legal fees, and forensic investigations. About half will pay for regulatory fines and equipment replacements. However, only 34% cover revenue loss. Only 8% cover brand damages, and only 11% cover employee productivity losses.

As for the types of incidents the insurers will cover, you're probably protected against human errors and bad guys on the outside. However, only about half the survey respondents' policies cover attacks by malicious insiders. Only 11% cover attacks against "business partners, vendors or other third parties that have access to their company's information assets." (Sorry, Target.)

Despite the limitations, companies are still buying cyberinsurance. According to the Ponemon report, 31% of security and risk pros said their company has a cybersecurity insurance policy. Another 39% said they are planning to purchase insurance, and 41% said that, from a business perspective, cybersecurity risks are greater than other insurable business risks such as natural disasters, business interruption, and fires.

The most common reasons respondents gave for not purchasing insurance was that it was too expensive or didn't cover enough. However, 26% said their risk profile was too high, so insurers wouldn't sell them policies.

How do you alter your organization's risk profile to make it more palatable to insurers? Anyone who's ever had to improve a FICO credit score quickly to convince lenders that the borrower is not a high-risk scoundrel knows that it requires some fiscal acrobatics, a bit of sorcery, and a lot of incessant, obsessive monitoring. The cyberinsurance industry now has its own version of a FICO score to delight underwriters and frighten hopeful policy holders.

The startup BitSight Technologies recently launched an information security risk rating system. This system "provides objective and up-to-date ratings on the information security health of a company's partner ecosystem so it can better protect sensitive business and customer data shared with third-party vendors," BitSight said in a press release. "The information security ratings, which range from 250 to 900, are similar to consumer credit scores, with higher ratings indicating better security postures."

Liberty Insurance Underwriters (LIU) just partnered with Bitsight to provide the BitSight Security Rating Service to holders of LIU Data Insure policies. Liberty said in a release that the service will generate and deliver "timely, data-driven analysis of a company's security performance" on a daily basis. Policy holders won't need to provide any information or undergo any testing.

Though there are signs that the cyberinsurance industry is maturing, there remains a healthy amount of skepticism about its effectiveness. Thirty percent of the respondents to the Ponemon survey said they have no interest in purchasing a policy now. During an event at Fordham University this month, White House director for cybersecurity critical infrastructure protection Samara Moore said flat out that cyberinsurance is "not very well developed" and "not a very viable option."

What do you think? Has your organization bought a cyberinsurance policy? Do you think it's worth the money? Were you involved in the decision to purchase the insurance? Have you ever had to file a claim? How did that go? Do you think the cyberinsurance industry would ever consider offsetting risks through catastrophe bonds? Let us know in the comments below.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/26/2014 | 9:17:16 PM
cyber insurers
Really interesting insight, Sara. Who are the main players in cyber insurance today?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?