Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
The Problem With Cyber Insurance
Newest First  |  Oldest First  |  Threaded View
JeffN726
JeffN726,
 User Rank: Apprentice
7/16/2014 | 8:02:01 AM
Check out FAIR
There is an exiting risk quantification framework called FAIR (factor analysis of information risk) which is available from the Open Group.  This framefwork provides a consistent and objective framework for quantifying cyber / information risk.  There is a vendor that offers software based on FAIR (CXOWARE) that does a credible job of quantifying risk.  Might be something worth looking into.
peterfxcassidy
peterfxcassidy,
 User Rank: Apprentice
6/25/2014 | 7:20:28 PM
Design for Actuarial Proxies and Underwriting Schema for Cyber Risk Already In Hand

Method, system, and service for quantifying network risk to price insurance premiums and bonds

United States 8494955

Issued July 23, 2013

A method for determining financial loss related to performance of an internetwork, comprising: collecting input information regarding performance of an internetwork usingtechniques that simultaneously record topology and performance; detecting at least one anomaly in at least one portion of said internetwork; translating said at least one anomaly into at least one operational risk for a financial entity thatunderwrites insurance premiums and bonds by: adding information about a first plurality of enterprises in an industry; estimating a total cost for said industry for said plurality of anomalies; and, determining respective costs for claims on insurance policies for said industry based on said total cost; or, interrogating at least a portion of the network topology; making estimates of internetwork conditions at the time of an anomaly resulting in a loss; and, calibrating a disbursement against acovered party's claims with respect to the at least one anomaly.

Problem solved.

 

Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
6/24/2014 | 8:25:17 AM
Re: unknown unknowns
This has been a fascinating thread with a lot of excellent points about the challenges of calcuating cyber security risk from an actuarial point of view versus the traditional cost/benefit, risk management perspective of an enterprise security team. Can there be objective, evidenced-based risk metrics in world of "unknown unknowns" that will offer organizations some additional protection in the even of a breach?  I hope so. But for the young cyber-insurance industry a lot remains to be seen. 
lg.alabris
lg.alabris,
 User Rank: Strategist
6/23/2014 | 10:18:35 PM
unknown unknowns
Underwriters have nominally avoided acts of war as legitimate risk opportunities, at least those operating with statistical evidence.  I cant imagine this market surviving given what we know about the origin of cyber attacks & PII compromise, etc.  Nature can be devastating but at least predictable.  These events will by nature continue to evolve as genuine gambling.  Perhaps both sides would be better off spending resources elsewhere.  Of course this will all go away when totally secure systems become available.  At that point cyber insurance will become irrelevant.
PaulWaite
PaulWaite,
 User Rank: Strategist
6/20/2014 | 10:18:30 PM
Re: The Problem With Cyber Insurance
Good comments Brian. I totally agree with your synopsis. CI is in its infancy and may take some time to mature.

Many CI carriers are unable to ascertain the value of data loss and what the compromised data may be. 

CI should not be seen as the panacea, but merely form a part of any good risk transfer/mitigation strategy.

 
Randy Naramore
Randy Naramore,
 User Rank: Ninja
6/18/2014 | 12:55:59 PM
Re: High premiums, low coverage, & broad exclusions. Oh my!.
While I see how the idea of cyber insurance is attractive to anyone who is concerned with the possiblility of breach, it is a false sense of security. If you follow defense in depth approach to security and make sure employees are educated to the dangers of the internet then you are doing all you can to "insure" yourself and even then you might be breached. IMO.
Robert McDougal
Robert McDougal,
 User Rank: Ninja
6/18/2014 | 12:33:50 PM
Re: High premiums, low coverage, & broad exclusions. Oh my!.
I agree, I don't see how this type of insurance will be anything more than a paper shield.  Basically, any company that does business on the internet can fall prey to a currently undiscovered vulnerability (think heartbleed).  Those companies could do everything within their power securely and still experience a breach.  In short, what I am pointing out is that there isn't a low risk group to offset the losses of the high risk group, making this coverage ultimately unsustainable.
Brian Thornton
Brian Thornton,
 User Rank: Apprentice
6/18/2014 | 6:46:25 AM
The Problem With Cyber Insurance
While there are plenty of good reasons to improve the evidence-based method to assess a company's cyber risk profile, I take issue with the statement, "This has resulted in high premiums, low coverage, and broad exclusions."

Rates are driven by loss ratios and suply and demand.  Over the last few years there have been many new markets entering the cyber insurnace world resulting in more competition and broader terms then just a year ago, especially for the smaller and mid-sized companies.  

This market is still in its infancy.  Compared to other lines of business there is a very low correlation to the insured's amount of data and how they protect it and their loss ratio.  The best risk can still easily have a bad loss and the worst risks can go clear for a long time.

As the market matures, this will become less of an issue.  I do agree that data collection in the underwriting process can provide a good basis long term risk comparison across a carrier's portfolio.  Things will no doubt move in that direction, but saying the lack of this in the industry has resulted in high premiums, low coverge, and broad exclusions is just not accurate.  Coverage has become broader and more competitive every year the product has evolved.

The insurance is part of an overall risk management process.  It starts with IT and involves senior management, education of the entire staff, and building an overall awareness of the exposures – ending with a component of risk transfer.  There are plenty of lower risk accounts that have less data and very good policies and procedures to balance out the higher risk accounts and a lot of carriers to share in the risk.  A comment that this insurance is unsustainable is ill informed.  Heartbleed has not resulted in any material impact as far as cyber insurance goes.
RetiredUser
RetiredUser,
 User Rank: Ninja
6/17/2014 | 6:17:05 PM
Re: High premiums, low coverage, & broad exclusions. Oh my!.
Also not filling me with the warm fuzzies, and as a mid-level engineer, I don't even have to worry about this type of analysis.  But, as someone in the trenches, I can see where this could go very wrong very quickly if not tightened up and regulated. 

Because "acts of God" are so unpredictable, it makes insurance on property difficult, but still doable with quantifiable damages and some level of predictability for some regions where earthquakes, tornados and typhoons occur with some certainty.  But how do you even begin to fully quantify the mind of a cyber criminal and what they might do, how they might do it, and what economic damage it will equate to?

For instance, how do you value 100,000 credit card numbers stolen?  What if the data includes more than just the numbers?  What if the criminal isn't interested in the numbers at all, but some other data?  What if the whole theft is a cover so someone doesn't realize the spending habits of a certain senator were what the target was all along?

And if you think people are getting ripped off now by life and property insurance scams, imagine the doors this opens...

 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
6/17/2014 | 1:49:26 PM
High premiums, low coverage, & broad exclusions. Oh my!.
This doesn't seem like a very attractive solution -- at least for now. Ira, are there any circumstances where you think cyber insurance is a good idea? Or should companies wait until the cyber insurance market matures and canbegins offering some more comprehensive and affordable packages?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file