Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Insurance Industry Expected To Boom

Posted by Soulskill on from the who-doesn't-love-new-forms-of-insurance dept.

An anonymous reader writes "The high profile hacks to Sony's systems this year were quite costly — Sony estimated losses at around $200 million. Their insurance company was quick to point out that they don't own a cyber insurance policy, so the losses won't be mitigated at all. Because of that and all the other notable hacking incidents recently, analysts expect the cyber insurance industry to take off in the coming year. 'Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry. Cyber insurance has been around since the Clinton administration, but most companies tended to "self insure" against cyber attacks.'"

58 comments

  1. Just what the world needs by JimCanuck · · Score: 3, Interesting

    More insurance policies ....

    1. Re:Just what the world needs by magarity · · Score: 1

      I don't think all that many will be written. Think about it: you can get car insurance (and health and life and home, etc, etc) because your car meets the local safety standards and most people aren't intentionally suicidal, therefore the insurance company can impersonally look up in its actuarial tables to find your risk. But computer systems? You'd have to be nuts - even if you had a large, competent audit team to go over all the security procedures at big corporate network X, can you 1. be certain they follow the procedures/policies 2. don't change the procedures/policies when the new manager is hired 3. have a similar enough network to companies A - W that you can make up a generic risk analysis? Every "cyber insurance" policy would have to be cost prohibitively customized and monitored. The insurance companies may go out on a limb and issue some, but not many companies will be able to afford it and when something happens that needs a payout the insurance company that has any sense will do a post-mortem and decide not to pay because employee(s) screwed something up compared to the procedures/policies the insurance company was insuring.

    2. Re:Just what the world needs by Penguinisto · · Score: 2

      You'd have to be nuts - even if you had a large, competent audit team to go over all the security procedures at big corporate network X

      ...you mean like a PCI audit (civilian), or a STIG inspection/audit (US gov't)? Those both involve external teams to come in periodically and check for compliance to published standards, then present plans to remedy any shortfalls, usually with a strict compliance date and re-inspection to insure it. I work in the banking industry, and I get to see the PCI audit teams yearly. I used to work for a defense contractor, and they had very similar inspections on an even tighter schedule.

      1. be certain they follow the procedures/policies

      See above. If you're big enough or in certain industries, you don't have a lot of choice in the matter; you follow them or you lose certification (and therefore contracts/money).

      2. don't change the procedures/policies when the new manager is hired

      The new manager has to follow the same externally-published and enforced guidelines that the old one did. Now if the new guy wants to be stricter, he's more than welcome to.

      3. have a similar enough network to companies A - W that you can make up a generic risk analysis?

      This is the only missing piece - not any lack of similarities, mind - but in having risk analysis tables comprised and cross-referenced by industry. OTOH, that's more of a failing on the insurance industry's part than the tech world's. The first insurance company that manages to pull it off will make a mint.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    3. Re:Just what the world needs by marcosdumay · · Score: 1

      The problem is that doesn't work, so people won't bet money on it.

      There is no set of formal requirements that guarantees security. It can't be created.

      --
      Rethinking email
    4. Re:Just what the world needs by JimCanuck · · Score: 1

      There is no formal requirements that guarantees a drivers ability to drive a car either. Hence insurance to protect yourself from other idiots on the road.

  2. yet another industry by Anonymous Coward · · Score: 3, Insightful

    that produces absolutely nothing

    1. Re:yet another industry by betterunixthanunix · · Score: 2

      It does not matter, these companies can now go tell their investors that they are "prepared" for when those evil hackers breach their security systems. Naturally, the idea that they could employ better security practices never occurs to the investors, who have been steeped in the "evil hackers are wizards who can do magic things that no ordinary person could possibly imagine" mindset.

      --
      Palm trees and 8
    2. Re:yet another industry by omega_dk · · Score: 4, Insightful

      The other option, of course, is that the insurance company will mandate the better security practices, like is happening to get people out of the areas of New Orleans that are beneath sea level:
      http://www.msnbc.msn.com/id/14456934/ns/business-us_business/t/many-new-orleans-cant-afford-insurance/

      --
      Just because you don't like the truth, does not make it false.
    3. Re:yet another industry by Ethanol-fueled · · Score: 1

      If we mandate the insurance, however, we will have yet another bloated bubble on our hands along with the expectation that the costs will be passed down.

    4. Re:yet another industry by Anonymous Coward · · Score: 0

      when those evil hackers breach their security systems

      Well, they are evil. Your italics indicate irony on your part; I think that is misplaced.

  3. Just wonderful by Anonymous Coward · · Score: 0

    As if the "IT security industry" wasn't already full of snake oil in the name of "due dilligence", and filling swiss cheese with easy cheez for easy laughs and prolonging the problem.

  4. Wait, what? by Anonymous Coward · · Score: 2, Insightful

    I'm certainly not on the inside at Sony or their insurer, and I haven't reviewed any documentation on actual insurance policies in force at Sony, but isn't this the sort of situation that errors and omissions insurance is supposed to cover?

    1. Re:Wait, what? by Ramin_HAL9001 · · Score: 1

      I think errors and omissions only covers expensive accidental data loss, or profit losses due to down-time, but not actual theft of data. I think cyber insurance is more for protection of a system that was otherwise functioning normally but suffered losses due to deliberate, malicious break-in through unseen holes in the system's security. It wouldn't surprise me if errors and omissions policies explicitly exclude coverage of damages due to malicious hacking.

      Theft insurance is different from accident insurance because assessing risk for each scenario is entirely different.

  5. Not going to happen by seifried · · Score: 3, Interesting

    The data needed to make actuarial tables isn't good enough (so you can't assess risk rates that well), and the amount of self inflicted harm (e.g. Sony) is staggering. What will happen is insurance companies will attempt to do this, claims will be filed, and denied on various grounds (some legitimate, like you did have a password on the admin account, and some less legitimate) but payout rates will be low to zero. Companies will realize that attempts to financially offset the impact of the risk isn't working (you pay the premiums but never win any claims) and eventually stop buying cyber insurance.

    1. Re:Not going to happen by mvar · · Score: 1

      My first thought was that this could be "easy money" for any company that buys such an insurance. But OTOH the insurance companies will probably want a minimum set of specifications or even access to the client's firewalls, systems etc. This is going to be interesting

    2. Re:Not going to happen by timeOday · · Score: 3, Interesting

      I agree with you on the problems, but maybe this budding industry will help standardize practices and metrics and make the IT industry more mature by quantifying risks as dollars so companies can understand them.

    3. Re:Not going to happen by mspohr · · Score: 1

      The way insurance companies work is to carefully write lots of fine print which limits their exposure. For instance, my home insurance policy comes with 22 pages of fine print which is can only be parsed by a lawyer after the fact. This gives them lots of outs to avoid paying a claim. I imagine that these insurance policies will also come with lots of fine print to guarantee that they won't have to pay anything significant. These policies will be a boon for the insurance companies but the insured will be SOL if they are actually stupid enough to have a loss.

      --
      I don't read your sig. Why are you reading mine?
  6. Maybe by koan · · Score: 1

    Maybe we will get realistic numbers from these "hacking" events, now we will get what the insurance companies will actually cover which may be in line with actual losses rather than the exaggerated loss propaganda we usually hear about.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Maybe by koan · · Score: 1

      OK wow... that was poorly written but you get the gist right?

      --
      "If any question why we died, Tell them because our fathers lied."
    2. Re:Maybe by betterunixthanunix · · Score: 1

      I get the gist, but more likely we will hear this sort of state:

      Hackers attacked our security system and stole customer data. We have been partially covered by our insurance policy, but will still have to deal with a $400 trillion loss.

      --
      Palm trees and 8
  7. companies don't pay the costs of Security as it is by Joe_Dragon · · Score: 1

    So will moving funds to cyber insurance policy help fix??

    Look at sony they cut down there Security staff right be for they got hit by the big hack and maybe if they did not make that cut then maybe the hack would not been so big.

    Lack of funds to update Security software / hardware?

    Lack of man power to have good Security?

    Lack of basic IT man power?
    some times this leads to poor Security as people / departments don't have the time to wait for IT so they some times bypass IT to get work done / have IT lower security with out doing in a way that still keeps some security in place aka we need are our own department sever and we are paying for it and managing it and we just need it to be open to us / maybe have a out side IP vs having IT run and manage that sever.

    lack of funds to update older software and hardware that has security bugs aka still having IE6 and lacking the funds to update in house apps that don't work with newer ie's / firefox.

    Lack of staff so people are pulling 60-80 hour weeks and make more errors / miss stuff.

    also poor password rules lead to the passwords being on post it notes.

  8. I'm sorry son, is this code UL listed? by johnny+cashed · · Score: 1

    Maybe this will introduce standards for coding that the insurance industry can live with.

    UL listed code?

    1. Re:I'm sorry son, is this code UL listed? by Anonymous Coward · · Score: 1

      My experience in this kind of thing was:
                          1. The Companies lenders/insurance company demand some type of certification of acceptable standards.
                          2. Software suppliers/consulting companies begin to offer said certification.
                          3. Obtaining said certification requires large purchases of software suppliers software and consulting companies services.

    2. Re:I'm sorry son, is this code UL listed? by Lehk228 · · Score: 1

      Everything will have to be done in python or perl

      --
      Snowden and Manning are heroes.
    3. Re:I'm sorry son, is this code UL listed? by Anonymous Coward · · Score: 0

      I'm okay with that.

    4. Re:I'm sorry son, is this code UL listed? by geekmux · · Score: 1

      Maybe this will introduce standards for coding that the insurance industry can live with. UL listed code?

      The "1,000 ways to skin a cat" analogy barely touches the surface of available options to code a solution in software.

      Good luck getting someo...er, anyone, to agree to a "standard" in there.

    5. Re:I'm sorry son, is this code UL listed? by Anonymous Coward · · Score: 0

      They'll standardize on something completely inane, I'm sure. The vendors are probably standing by to offer "security certified" software. (Without taking on any actual liability, of course. Just a best practices checklist, and a fee to keep the smaller players out.)
      If a list of "insurance approved" software ever comes out, look for Microsoft, Oracle and Adobe right at the top.

    6. Re:I'm sorry son, is this code UL listed? by Ramin_HAL9001 · · Score: 1

      This might be too optimistic, but it may encourage more open-source software. Problems due to in-house proprietary solutions that do not follow proper coding standards, and are not peer reviewed by the hacking-community at large may well be identified as a major risk and drive-up the cost of non-open code, encouraging more code to be opened.

      Or it will just wind-up creating a huge racket for proprietary solutions, only benefiting huge companies with lots of capital that can afford the huge cost of developing insurable, standards-compliant proprietary code without opening their code to peer review from the larger hacking community. In this case, I hope the Linux Foundation can afford to get Linux to comply with the insurance companies standards.

  9. This *might* actually improve things. by sehlat · · Score: 3, Insightful

    Insurance companies are notorious for avoiding risky customers, if not outright persecuting them (cf. "undisclosed prior conditions" in health insurance). If a company wants to get (or keep) cyber-insurance, it's a fair bet that the insurance company will have conditions of contract which will ensure better (not necessarily best) practices for things like interfaces, coding, intrusion detection, etc. that will minimize THEIR losses in event of a breach. The overall effect will be to make good security/coding/etc. practices actually cheaper than the amateurish "self-insurance" companies like Sony have practiced.

    Hi. I'm Bob, and I'll be your Code Review Actuary. If you pass, your premiums will drop by about ten percent.

  10. Security is expensive, counterintuitive, etc. by betterunixthanunix · · Score: 1

    Security requires experts with experience in the field. Security is not something you buy, it needs to be adapted to the particular needs of an organization, and it is often counter-intuitive. Worse still, after paying a lot for an expert who tells you to do things that seem weird and not what you were expecting, you have no way to tell whether or not the security policy accomplished anything at all. Insurance is cheaper, and it is something your investors and board members can understand.

    --
    Palm trees and 8
    1. Re:Security is expensive, counterintuitive, etc. by Hentes · · Score: 1

      Worse still, after paying a lot for an expert who tells you to do things that seem weird and not what you were expecting, you have no way to tell whether or not the security policy accomplished anything at all.

      Sure you can. Hire a whitehat. Security, like everything in IT, needs to be tested.

  11. Or... by betterunixthanunix · · Score: 1

    Or the policy will only cover a certain maximum amount of loss, certain kinds of security breaches, etc. Why spend the money auditing when you can just not spend money and not pay out when a company is attacked?

    --
    Palm trees and 8
    1. Re:Or... by artor3 · · Score: 1

      Because your would-be clients have armies of lawyers to dig through any proposed contracts and make sure they're really covered. If you leave in loopholes to get out of paying, while Company X offers real coverage with audits to set the price, most customers will choose Company X ... and those that don't will next time.

    2. Re:Or... by betterunixthanunix · · Score: 1

      Company X requires you to spend large sums of money to bring your security up to date, so that you can pay them for something that is far less likely to happen. Company Y with lower premiums does not, but is less likely to pay. Your investors could not care less which company you go with, as long as you maximize profits. Which would your company go with?

      --
      Palm trees and 8
  12. cyber ... cyber ... cyber by Anonymous Coward · · Score: 0

    ugh. Next up: iInsurance? (for your iDevice) Cloud Insurance? (for ... whatever) Social Insurance? (keep your ins. co up to date by posting about you and your friends' latest transgressions via their app) NanoInsurance? (in case of grey goo) Buzzword Insurance? (pays out everytime I am subjected to a /. summary with more than one occurance of a buzzword)

  13. Private sector regulation by Beryllium+Sphere(tm) · · Score: 2

    There is precedent for companies contractually requiring better security from other companies. That's what PCI DSS is, for example. I'm no fan of "check the box" security, but it has a use in preventing obvious stupidity.

    The insurance industry seems to be treating ISO 27001 as the standard to use.

    1. Re:Private sector regulation by Trepidity · · Score: 2

      Yeah, they tend to go for formal, third-party standards like ISO 27001 because they're trying to combine two things: 1) mandate some minimal level of non-stupidity so they're not paying out for too many stupid things; but 2) be able to argue that it's an objective, neutral test, not them capriciously denying claims just to avoid paying them out.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  14. Not a bad thing by Sgs-Cruz · · Score: 1

    Insurance companies typically force the insured company to be proactive, i.e. start thinking about cyber-security (or fire safety, or employee driver training, etc.) *before* something catastrophic happens. Like think of how your home fire insurance rates are lower if you install an automatic sprinkler system... same idea here with cyber-security. I have no doubt that the big insurance companies will be looking closely at companies' security policies before writing them a $200-million policy.

    --

    Karma: pi (Mostly due to circular reasoning in posts).

    1. Re:Not a bad thing by Animats · · Score: 2

      Insurance companies typically force the insured company to be proactive, i.e. start thinking about cyber-security (or fire safety, or employee driver training, etc.) *before* something catastrophic happens.

      Yes. The company famous for that is The Hartford Steam Boiler Inspection and Insurance Company. Back when steam engines were high-tech, and blew up frequently, Hartford Steam Boiler was established in 1866 to insure them. More than half the company's staff is boiler inspectors. They inspect before they issue the policy, and the policy gives them the right to inspect whenever they want to, which they do regularly. Very, very seldom does a boiler insured by Hartford Steam Boiler blow up.

      Many companies don't like that level of intrusiveness by an insurance company. On the other hand, it's been decades since a boiler insured by Hartford Steam Boiler blew up. It's time for computing to grow up and get that level of hard-ass attitude.

  15. Good by swillden · · Score: 4, Insightful

    Insurance companies are good at managing risk. They know how to estimate it, how to mitigate it, and how to charge for taking it on so that they don't lose money.

    Businesses are good at managing costs, so when it comes to risks like security breaches which aren't well-understood, their tendency is to accept risk in order to cut costs. Forcing them to disclose what they're doing with respect to computer security risks will prompt a lot of concern from investors who want to see the risks mitigated, which will force businesses to get insurance. That will create a booming market for the insurance industry, but it will also prompt a lot of risk mitigation -- i.e. companies starting to do what they should have been doing to begin with -- in order to keep their insurance premiums down.

    I wouldn't be surprised if there's another effect of widespread information security insurance policies: more financial liability for breaches. The combination of better-established best practices for security and the availability of deep-pockets insurance companies to sue will likely enable and motivate bigger awards. If so, more liability will further increase the attention paid to security risks. That's a good thing.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:Good by mounthood · · Score: 4, Insightful

      Insurance will only set the baseline standard, and will prevent further advances for the industry as a whole. Home and Car locks have been stagnant technology for 50+ years because the remaining risk is managed with insurance/laws/police. You can buy better locks and alarms, but they aren't being widely adopted because insurance (and a risk mitigation attitude) has removed the incentive.

      Twenty years from now what do we want cyber-security to look like? It should still be an ongoing effort, aggressive and widely distributed. Tying the financial costs of Sony's failure to insurance will raise their efforts to a baseline (set by insurance companies) and remove any motivation to do better. In fact, it will *prevent* Sony from doing better security, because they will need to do what the insurance companies have specified and nothing else, lest they interfere with the program specified by the the insurance companies.

      Should insurance companies dictate security? Doctors don't let them dictate treatments because health care is so important and hard to get right. Do you want insurance companies telling you which language to use, which libraries to use, how to log/audit/test/deploy etc...? The insurance companies and financial managers are there to make money, not to create new things or do things better.

      --
      tomorrow who's gonna fuss
  16. Stock oportunities by Anonymous Coward · · Score: 0

    Any of these said companies publicly traded? You know, just for reference...?

  17. A sticky thing by harvey+the+nerd · · Score: 2

    Often obtrusive "security" conflicts with the prime mission of the organization, sapping morale, efficiency and innovation. e.g. TSA. Good unobtrusive security is a rare jewel.

  18. May be good by Anonymous Coward · · Score: 1

    Insurance companies usually demand some risk mitigation (such as building codes or safe driving records). This could force companies to tighten up their security to lower their insurance premiums. Tightening up security to limit losses is something too immeasurable to put on the balance sheet.

  19. here we go by Dolphinzilla · · Score: 1

    on the road to higher priced software.... as soon as Insurance and lawyers get involved we're screwed

  20. Insurance for insurance sake. by geekmux · · Score: 1

    "...Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry."

    Er, could be a boon? Ah, smells more like "you grease this palm, and I'll make you billions" type of "guidance". Give me a break. It really can't get much more blatant than this, pulling yet another form of pointless "mandatory" insurance out of your ass.

    And yes, it will likely be pointless by the time you get to the fine print on paying out a half-billion dollar cyberinsurance claim.

  21. Coverage Denied due to lack of Auditing by Anonymous Coward · · Score: 0

    Your Cyber Insurance Claim has been denied due to not conducting Internal and 3rd Party External Audits since we have not received on time your Audit reports for the past 5 years.

    So are there any other ways to wiggle out of paying the claims?

  22. Standard and recommended practices by perpenso · · Score: 1

    Just what the world needs. More insurance policies ....

    On the other hand the insurance policies may require some reasonable IT practices. Perhaps a manager who is not so responsive to the argument "these practices are standard and recommended" will be more responsive to "failure to meet these practices will get our insurance policy canceled".

  23. Trading Places by mounthood · · Score: 1

    My first thought was that this could be "easy money" for any company that buys such an insurance.

    You want me to break something else? http://www.youtube.com/watch?v=vkkM9YAJ-Ts

    --
    tomorrow who's gonna fuss
  24. Unions will go a long way as well. by Joe_Dragon · · Score: 1

    so that the works can tell management that no your plan will not work / will not pass the security plan. Also they will cover IT's ass when the CEO or other higher up's brakes the rules and there is a security leak.

    Also maybe they can say that makeing people put in 80 hours weeks is bad for good code that will pass the security plan.

  25. force BSA Auditing by Joe_Dragon · · Score: 1

    in where each pice of software must have a software update plan.

  26. Bad by Anonymous Coward · · Score: 0

    They're starting to do this now anyway despite no insurance - bad publicity is the kick in the ass they need, and keeps them in check, since customers can easily drop internet services and substitute them for others. With the insurance, they will only take enough measures to meet the bare minimum of standards and figure the insurance will cover their ass, and pass the cost on to the customer.

  27. The real intrusions can't be proven by Hentes · · Score: 1

    The real intrusions are very hard to prove, the hacks that get discovered are the ones that couldn't manage to be subtle enough. Even if there are signs, unless it is a lulzsec-like troIl group doing it publicly the insurance company will refuse to pay. IT security insurance will just make companies overconfident and worrying even less about security, and when they get hacked they will find that the insurance company isn't paying for the huge losses as they can't be proven.

  28. Cue hackers by Khyber · · Score: 1

    To show what a scam cyber insurance really is.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  29. we're toast by harvey+the+nerd · · Score: 1

    More post industrial hot air. Insurance typically sucks in 2-4x the actual loss claims paid (then think of precious high interest rate capital for years ahead), not a source of competitive growth or information, and will stifle the growth of new competitive edges. The US is toast, an economy running on empty promises and bs.

  30. Lol by lightknight · · Score: 1

    Just like the 'Green Jobs / Economy,' right boys? Admittedly, this might be slightly more tangible than the previous 'opportunity,' but I have my doubts.

    On a side note, what happened to investing in actual technological innovation? A little-less pie-in-the-sky, a little more our scientists have confirmed this is doable, and our engineers desperately want to build a new fab to we can retire in style in 5 years?

    Does anyone understand what I am attempting to convey here? We've gone from the poker table to the slot machine. Poker requires more skill, and will take more time to see if you win the pot, but the odds are better than the slot machine, which just takes your money. And the payoff is more significant, if / when it happens.

    Does anyone do risk / analysis anymore? I feel I need some confirmation that we still do that.

    --
    I am John Hurt.
  31. Home and car locks by Beryllium+Sphere(tm) · · Score: 3, Insightful

    >Home and Car locks have been stagnant technology for 50+ years

    What? 50 years ago you could hot-wire a car. Today we have immobilizers that won't let the engine start without cryptographic authentication.

  32. A Bandaid by Bengie · · Score: 1

    Not to say there isn't room for some sort of cyber-insurance, but the whole issue with Sony was their lack of competent programmers and admins.

    Of course they go the way of wanting insurance instead of fixing the root of the problem.

    They go the route of 1lb of cure is better than 1oz of prevention, probably because it's easier to measure the effectiveness of a cure than prevention.