Risk
6/17/2014
12:00 PM
Ira Scharf
Ira Scharf
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Problem With Cyber Insurance

Insurers have yet to develop an evidence-based method to assess a company's cyber risk profile. This can result in high premiums, low coverage, and broad exclusions.

Cyber insurance is one of the fastest growing segments in the insurance industry. With the tremendous increase in data breaches, companies are looking for insurance products to cover them in the event of a loss.

As the Boston Globe recently reported, one in three companies now has insurance coverage against cyber losses. Last year 20% more cyber insurance policies were sold than in 2012, according to a Marsh LLC report.

Recently disclosed high-profile breaches at Target, Neiman Marcus, and other large retailers highlight the tremendous impact a cyber breach can have on a company -- both financial and reputational. The potential losses can be significant. Some analysts see the Target breach costs exceeding $1 billion, far surpassing their insurance limits.

A gift that keeps on giving
Target's massive holiday breach was a giant gift to insurers that have been pushing these policies for years. For the rest of us, it was a wakeup call. And as the demand for cyber insurance has increased, insurers have come up with new ways to offer policies. In 2013, insurers rolled out 38 new cyber insurance products, according to the insurance analyst firm Advisen Ltd.

A senior executive at Aon Risk Solutions recently told The Wall Street Journal (subscription required): "Inquiries from potential buyers [of cyber insurance] have tripled since the recent hackings and a greater portion of callers are buying." Though demand has certainly grown, cyber insurance is still in its infancy, and there is still a lot of education to be done on the subject as more and more companies conduct a majority of their business online, opening themselves up to data theft.

Companies ranging from single-site firms to multinationals generally deploy a wide array of techniques in an effort to thwart cyber attacks. However, not all techniques are effective, and not all companies implement those techniques in a manner that achieves optimal results. Even when a company does have a strong risk management program, most insurers don't have an objective, evidence-based method to assess its risk profile. This uncertainty and lack of objective intelligence can result in policies with high premiums, low coverage, and broad exclusions.

Wanted: evidence-based cyber risk ratings
Questionnaires used in cyber insurance underwriting as part of the application process can be broad and subjective, as well. They give an indication of security policies and procedures that may be in place at a given company, but not how effectively those policies and procedures are implemented. Two companies with similar security practices may have very different security outcomes. A recent blog post by George Hulme outlines how questionnaires may lead to a false sense of security for risk managers.

Further compounding the problem is a well-known fact among security professionals: Hackers are becoming ever more sophisticated in the methods they use to attack companies, which makes it difficult for companies to keep up with the latest security practices.

An objective, evidence-based cyber risk metric is needed to measure security effectiveness, not simply policies and procedures, A cyber risk metric can offer underwriters a uniquely distinctive tool in helping to assess the potential for cyber loss at a particular company. Algorithms used to calculate cyber risk metrics can analyze vast amounts of data, including Internet communication and evidence of actual security compromises and vulnerabilities. Underwriters can use this information, in addition to their other underwriting procedures, to provide a critical window of visibility into a company's security posture.

Security ratings can transform the insurance industry by allowing insurers to compare companies empirically against one another and industry averages. This provides underwriters with an objective method to gauge the cyber risk of prospective insurers and offer insurers the capability to continuously measure and track the overall risk of their entire portfolio.

Ira Scharf is Chief Strategy Officer with BitSight Technologies. He previously was President of AirDat and served as General Manager of Energy & Risk for the Weather Channel. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JeffN726
50%
50%
JeffN726,
User Rank: Apprentice
7/16/2014 | 8:02:01 AM
Check out FAIR
There is an exiting risk quantification framework called FAIR (factor analysis of information risk) which is available from the Open Group.  This framefwork provides a consistent and objective framework for quantifying cyber / information risk.  There is a vendor that offers software based on FAIR (CXOWARE) that does a credible job of quantifying risk.  Might be something worth looking into.
peterfxcassidy
100%
0%
peterfxcassidy,
User Rank: Apprentice
6/25/2014 | 7:20:28 PM
Design for Actuarial Proxies and Underwriting Schema for Cyber Risk Already In Hand

Method, system, and service for quantifying network risk to price insurance premiums and bonds

United States 8494955

Issued July 23, 2013

A method for determining financial loss related to performance of an internetwork, comprising: collecting input information regarding performance of an internetwork usingtechniques that simultaneously record topology and performance; detecting at least one anomaly in at least one portion of said internetwork; translating said at least one anomaly into at least one operational risk for a financial entity thatunderwrites insurance premiums and bonds by: adding information about a first plurality of enterprises in an industry; estimating a total cost for said industry for said plurality of anomalies; and, determining respective costs for claims on insurance policies for said industry based on said total cost; or, interrogating at least a portion of the network topology; making estimates of internetwork conditions at the time of an anomaly resulting in a loss; and, calibrating a disbursement against acovered party's claims with respect to the at least one anomaly.

Problem solved.

 

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/24/2014 | 8:25:17 AM
Re: unknown unknowns
This has been a fascinating thread with a lot of excellent points about the challenges of calcuating cyber security risk from an actuarial point of view versus the traditional cost/benefit, risk management perspective of an enterprise security team. Can there be objective, evidenced-based risk metrics in world of "unknown unknowns" that will offer organizations some additional protection in the even of a breach?  I hope so. But for the young cyber-insurance industry a lot remains to be seen. 
lg.alabris
50%
50%
lg.alabris,
User Rank: Apprentice
6/23/2014 | 10:18:35 PM
unknown unknowns
Underwriters have nominally avoided acts of war as legitimate risk opportunities, at least those operating with statistical evidence.  I cant imagine this market surviving given what we know about the origin of cyber attacks & PII compromise, etc.  Nature can be devastating but at least predictable.  These events will by nature continue to evolve as genuine gambling.  Perhaps both sides would be better off spending resources elsewhere.  Of course this will all go away when totally secure systems become available.  At that point cyber insurance will become irrelevant.
PaulWaite
50%
50%
PaulWaite,
User Rank: Apprentice
6/20/2014 | 10:18:30 PM
Re: The Problem With Cyber Insurance
Good comments Brian. I totally agree with your synopsis. CI is in its infancy and may take some time to mature.

Many CI carriers are unable to ascertain the value of data loss and what the compromised data may be. 

CI should not be seen as the panacea, but merely form a part of any good risk transfer/mitigation strategy.

 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/18/2014 | 12:55:59 PM
Re: High premiums, low coverage, & broad exclusions. Oh my!.
While I see how the idea of cyber insurance is attractive to anyone who is concerned with the possiblility of breach, it is a false sense of security. If you follow defense in depth approach to security and make sure employees are educated to the dangers of the internet then you are doing all you can to "insure" yourself and even then you might be breached. IMO.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 12:33:50 PM
Re: High premiums, low coverage, & broad exclusions. Oh my!.
I agree, I don't see how this type of insurance will be anything more than a paper shield.  Basically, any company that does business on the internet can fall prey to a currently undiscovered vulnerability (think heartbleed).  Those companies could do everything within their power securely and still experience a breach.  In short, what I am pointing out is that there isn't a low risk group to offset the losses of the high risk group, making this coverage ultimately unsustainable.
Brian Thornton
100%
0%
Brian Thornton,
User Rank: Apprentice
6/18/2014 | 6:46:25 AM
The Problem With Cyber Insurance
While there are plenty of good reasons to improve the evidence-based method to assess a company's cyber risk profile, I take issue with the statement, "This has resulted in high premiums, low coverage, and broad exclusions."

Rates are driven by loss ratios and suply and demand.  Over the last few years there have been many new markets entering the cyber insurnace world resulting in more competition and broader terms then just a year ago, especially for the smaller and mid-sized companies.  

This market is still in its infancy.  Compared to other lines of business there is a very low correlation to the insured's amount of data and how they protect it and their loss ratio.  The best risk can still easily have a bad loss and the worst risks can go clear for a long time.

As the market matures, this will become less of an issue.  I do agree that data collection in the underwriting process can provide a good basis long term risk comparison across a carrier's portfolio.  Things will no doubt move in that direction, but saying the lack of this in the industry has resulted in high premiums, low coverge, and broad exclusions is just not accurate.  Coverage has become broader and more competitive every year the product has evolved.

The insurance is part of an overall risk management process.  It starts with IT and involves senior management, education of the entire staff, and building an overall awareness of the exposures – ending with a component of risk transfer.  There are plenty of lower risk accounts that have less data and very good policies and procedures to balance out the higher risk accounts and a lot of carriers to share in the risk.  A comment that this insurance is unsustainable is ill informed.  Heartbleed has not resulted in any material impact as far as cyber insurance goes.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/17/2014 | 6:17:05 PM
Re: High premiums, low coverage, & broad exclusions. Oh my!.
Also not filling me with the warm fuzzies, and as a mid-level engineer, I don't even have to worry about this type of analysis.  But, as someone in the trenches, I can see where this could go very wrong very quickly if not tightened up and regulated. 

Because "acts of God" are so unpredictable, it makes insurance on property difficult, but still doable with quantifiable damages and some level of predictability for some regions where earthquakes, tornados and typhoons occur with some certainty.  But how do you even begin to fully quantify the mind of a cyber criminal and what they might do, how they might do it, and what economic damage it will equate to?

For instance, how do you value 100,000 credit card numbers stolen?  What if the data includes more than just the numbers?  What if the criminal isn't interested in the numbers at all, but some other data?  What if the whole theft is a cover so someone doesn't realize the spending habits of a certain senator were what the target was all along?

And if you think people are getting ripped off now by life and property insurance scams, imagine the doors this opens...

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/17/2014 | 1:49:26 PM
High premiums, low coverage, & broad exclusions. Oh my!.
This doesn't seem like a very attractive solution -- at least for now. Ira, are there any circumstances where you think cyber insurance is a good idea? Or should companies wait until the cyber insurance market matures and canbegins offering some more comprehensive and affordable packages?
More Blogs from Commentary
Infographic: With BYOD, Mobile Is The New Desktop
Security teams have no choice but to embrace the rapid proliferation of BYO devices, apps, and cloud services. To ignore it is to put your head in the sand.
Internet of Things: Security For A World Of Ubiquitous Computing
Endpoint security is hardly dead, and claiming that it is oversimplifies the challenges corporations face now and in the not-very-distant future.
CEO Report Card: Low Grades for Risk Management
Dark Reading's latest community poll shows a stunning lack of confidence in chief execs' commitment to cyber security.
A New Age in Cyber Security: Public Cyberhealth
The cleanup aimed at disrupting GameOver Zeus and CryptoLocker offers an instructive template for managing mass cyber infections.
Passwords & The Future Of Identity: Payment Networks?
The solution to the omnipresent and enduring password problem may be closer than you think.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.