Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Insurance Industry Expected To Boom

Posted by Soulskill on from the who-doesn't-love-new-forms-of-insurance dept.

An anonymous reader writes "The high profile hacks to Sony's systems this year were quite costly — Sony estimated losses at around $200 million. Their insurance company was quick to point out that they don't own a cyber insurance policy, so the losses won't be mitigated at all. Because of that and all the other notable hacking incidents recently, analysts expect the cyber insurance industry to take off in the coming year. 'Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry. Cyber insurance has been around since the Clinton administration, but most companies tended to "self insure" against cyber attacks.'"

16 of 58 comments (clear)

  1. Just what the world needs by JimCanuck · · Score: 3, Interesting

    More insurance policies ....

    1. Re:Just what the world needs by Penguinisto · · Score: 2

      You'd have to be nuts - even if you had a large, competent audit team to go over all the security procedures at big corporate network X

      ...you mean like a PCI audit (civilian), or a STIG inspection/audit (US gov't)? Those both involve external teams to come in periodically and check for compliance to published standards, then present plans to remedy any shortfalls, usually with a strict compliance date and re-inspection to insure it. I work in the banking industry, and I get to see the PCI audit teams yearly. I used to work for a defense contractor, and they had very similar inspections on an even tighter schedule.

      1. be certain they follow the procedures/policies

      See above. If you're big enough or in certain industries, you don't have a lot of choice in the matter; you follow them or you lose certification (and therefore contracts/money).

      2. don't change the procedures/policies when the new manager is hired

      The new manager has to follow the same externally-published and enforced guidelines that the old one did. Now if the new guy wants to be stricter, he's more than welcome to.

      3. have a similar enough network to companies A - W that you can make up a generic risk analysis?

      This is the only missing piece - not any lack of similarities, mind - but in having risk analysis tables comprised and cross-referenced by industry. OTOH, that's more of a failing on the insurance industry's part than the tech world's. The first insurance company that manages to pull it off will make a mint.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  2. yet another industry by Anonymous Coward · · Score: 3, Insightful

    that produces absolutely nothing

    1. Re:yet another industry by betterunixthanunix · · Score: 2

      It does not matter, these companies can now go tell their investors that they are "prepared" for when those evil hackers breach their security systems. Naturally, the idea that they could employ better security practices never occurs to the investors, who have been steeped in the "evil hackers are wizards who can do magic things that no ordinary person could possibly imagine" mindset.

      --
      Palm trees and 8
    2. Re:yet another industry by omega_dk · · Score: 4, Insightful

      The other option, of course, is that the insurance company will mandate the better security practices, like is happening to get people out of the areas of New Orleans that are beneath sea level:
      http://www.msnbc.msn.com/id/14456934/ns/business-us_business/t/many-new-orleans-cant-afford-insurance/

      --
      Just because you don't like the truth, does not make it false.
  3. Wait, what? by Anonymous Coward · · Score: 2, Insightful

    I'm certainly not on the inside at Sony or their insurer, and I haven't reviewed any documentation on actual insurance policies in force at Sony, but isn't this the sort of situation that errors and omissions insurance is supposed to cover?

  4. Not going to happen by seifried · · Score: 3, Interesting

    The data needed to make actuarial tables isn't good enough (so you can't assess risk rates that well), and the amount of self inflicted harm (e.g. Sony) is staggering. What will happen is insurance companies will attempt to do this, claims will be filed, and denied on various grounds (some legitimate, like you did have a password on the admin account, and some less legitimate) but payout rates will be low to zero. Companies will realize that attempts to financially offset the impact of the risk isn't working (you pay the premiums but never win any claims) and eventually stop buying cyber insurance.

    1. Re:Not going to happen by timeOday · · Score: 3, Interesting

      I agree with you on the problems, but maybe this budding industry will help standardize practices and metrics and make the IT industry more mature by quantifying risks as dollars so companies can understand them.

  5. This *might* actually improve things. by sehlat · · Score: 3, Insightful

    Insurance companies are notorious for avoiding risky customers, if not outright persecuting them (cf. "undisclosed prior conditions" in health insurance). If a company wants to get (or keep) cyber-insurance, it's a fair bet that the insurance company will have conditions of contract which will ensure better (not necessarily best) practices for things like interfaces, coding, intrusion detection, etc. that will minimize THEIR losses in event of a breach. The overall effect will be to make good security/coding/etc. practices actually cheaper than the amateurish "self-insurance" companies like Sony have practiced.

    Hi. I'm Bob, and I'll be your Code Review Actuary. If you pass, your premiums will drop by about ten percent.

  6. Private sector regulation by Beryllium+Sphere(tm) · · Score: 2

    There is precedent for companies contractually requiring better security from other companies. That's what PCI DSS is, for example. I'm no fan of "check the box" security, but it has a use in preventing obvious stupidity.

    The insurance industry seems to be treating ISO 27001 as the standard to use.

    1. Re:Private sector regulation by Trepidity · · Score: 2

      Yeah, they tend to go for formal, third-party standards like ISO 27001 because they're trying to combine two things: 1) mandate some minimal level of non-stupidity so they're not paying out for too many stupid things; but 2) be able to argue that it's an objective, neutral test, not them capriciously denying claims just to avoid paying them out.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  7. Good by swillden · · Score: 4, Insightful

    Insurance companies are good at managing risk. They know how to estimate it, how to mitigate it, and how to charge for taking it on so that they don't lose money.

    Businesses are good at managing costs, so when it comes to risks like security breaches which aren't well-understood, their tendency is to accept risk in order to cut costs. Forcing them to disclose what they're doing with respect to computer security risks will prompt a lot of concern from investors who want to see the risks mitigated, which will force businesses to get insurance. That will create a booming market for the insurance industry, but it will also prompt a lot of risk mitigation -- i.e. companies starting to do what they should have been doing to begin with -- in order to keep their insurance premiums down.

    I wouldn't be surprised if there's another effect of widespread information security insurance policies: more financial liability for breaches. The combination of better-established best practices for security and the availability of deep-pockets insurance companies to sue will likely enable and motivate bigger awards. If so, more liability will further increase the attention paid to security risks. That's a good thing.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:Good by mounthood · · Score: 4, Insightful

      Insurance will only set the baseline standard, and will prevent further advances for the industry as a whole. Home and Car locks have been stagnant technology for 50+ years because the remaining risk is managed with insurance/laws/police. You can buy better locks and alarms, but they aren't being widely adopted because insurance (and a risk mitigation attitude) has removed the incentive.

      Twenty years from now what do we want cyber-security to look like? It should still be an ongoing effort, aggressive and widely distributed. Tying the financial costs of Sony's failure to insurance will raise their efforts to a baseline (set by insurance companies) and remove any motivation to do better. In fact, it will *prevent* Sony from doing better security, because they will need to do what the insurance companies have specified and nothing else, lest they interfere with the program specified by the the insurance companies.

      Should insurance companies dictate security? Doctors don't let them dictate treatments because health care is so important and hard to get right. Do you want insurance companies telling you which language to use, which libraries to use, how to log/audit/test/deploy etc...? The insurance companies and financial managers are there to make money, not to create new things or do things better.

      --
      tomorrow who's gonna fuss
  8. A sticky thing by harvey+the+nerd · · Score: 2

    Often obtrusive "security" conflicts with the prime mission of the organization, sapping morale, efficiency and innovation. e.g. TSA. Good unobtrusive security is a rare jewel.

  9. Re:Not a bad thing by Animats · · Score: 2

    Insurance companies typically force the insured company to be proactive, i.e. start thinking about cyber-security (or fire safety, or employee driver training, etc.) *before* something catastrophic happens.

    Yes. The company famous for that is The Hartford Steam Boiler Inspection and Insurance Company. Back when steam engines were high-tech, and blew up frequently, Hartford Steam Boiler was established in 1866 to insure them. More than half the company's staff is boiler inspectors. They inspect before they issue the policy, and the policy gives them the right to inspect whenever they want to, which they do regularly. Very, very seldom does a boiler insured by Hartford Steam Boiler blow up.

    Many companies don't like that level of intrusiveness by an insurance company. On the other hand, it's been decades since a boiler insured by Hartford Steam Boiler blew up. It's time for computing to grow up and get that level of hard-ass attitude.

  10. Home and car locks by Beryllium+Sphere(tm) · · Score: 3, Insightful

    >Home and Car locks have been stagnant technology for 50+ years

    What? 50 years ago you could hot-wire a car. Today we have immobilizers that won't let the engine start without cryptographic authentication.