Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Insurance Industry Expected To Boom

Posted by Soulskill on from the who-doesn't-love-new-forms-of-insurance dept.

An anonymous reader writes "The high profile hacks to Sony's systems this year were quite costly — Sony estimated losses at around $200 million. Their insurance company was quick to point out that they don't own a cyber insurance policy, so the losses won't be mitigated at all. Because of that and all the other notable hacking incidents recently, analysts expect the cyber insurance industry to take off in the coming year. 'Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry. Cyber insurance has been around since the Clinton administration, but most companies tended to "self insure" against cyber attacks.'"

9 of 58 comments (clear)

  1. Just what the world needs by JimCanuck · · Score: 3, Interesting

    More insurance policies ....

  2. yet another industry by Anonymous Coward · · Score: 3, Insightful

    that produces absolutely nothing

    1. Re:yet another industry by omega_dk · · Score: 4, Insightful

      The other option, of course, is that the insurance company will mandate the better security practices, like is happening to get people out of the areas of New Orleans that are beneath sea level:
      http://www.msnbc.msn.com/id/14456934/ns/business-us_business/t/many-new-orleans-cant-afford-insurance/

      --
      Just because you don't like the truth, does not make it false.
  3. Not going to happen by seifried · · Score: 3, Interesting

    The data needed to make actuarial tables isn't good enough (so you can't assess risk rates that well), and the amount of self inflicted harm (e.g. Sony) is staggering. What will happen is insurance companies will attempt to do this, claims will be filed, and denied on various grounds (some legitimate, like you did have a password on the admin account, and some less legitimate) but payout rates will be low to zero. Companies will realize that attempts to financially offset the impact of the risk isn't working (you pay the premiums but never win any claims) and eventually stop buying cyber insurance.

    1. Re:Not going to happen by timeOday · · Score: 3, Interesting

      I agree with you on the problems, but maybe this budding industry will help standardize practices and metrics and make the IT industry more mature by quantifying risks as dollars so companies can understand them.

  4. This *might* actually improve things. by sehlat · · Score: 3, Insightful

    Insurance companies are notorious for avoiding risky customers, if not outright persecuting them (cf. "undisclosed prior conditions" in health insurance). If a company wants to get (or keep) cyber-insurance, it's a fair bet that the insurance company will have conditions of contract which will ensure better (not necessarily best) practices for things like interfaces, coding, intrusion detection, etc. that will minimize THEIR losses in event of a breach. The overall effect will be to make good security/coding/etc. practices actually cheaper than the amateurish "self-insurance" companies like Sony have practiced.

    Hi. I'm Bob, and I'll be your Code Review Actuary. If you pass, your premiums will drop by about ten percent.

  5. Good by swillden · · Score: 4, Insightful

    Insurance companies are good at managing risk. They know how to estimate it, how to mitigate it, and how to charge for taking it on so that they don't lose money.

    Businesses are good at managing costs, so when it comes to risks like security breaches which aren't well-understood, their tendency is to accept risk in order to cut costs. Forcing them to disclose what they're doing with respect to computer security risks will prompt a lot of concern from investors who want to see the risks mitigated, which will force businesses to get insurance. That will create a booming market for the insurance industry, but it will also prompt a lot of risk mitigation -- i.e. companies starting to do what they should have been doing to begin with -- in order to keep their insurance premiums down.

    I wouldn't be surprised if there's another effect of widespread information security insurance policies: more financial liability for breaches. The combination of better-established best practices for security and the availability of deep-pockets insurance companies to sue will likely enable and motivate bigger awards. If so, more liability will further increase the attention paid to security risks. That's a good thing.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:Good by mounthood · · Score: 4, Insightful

      Insurance will only set the baseline standard, and will prevent further advances for the industry as a whole. Home and Car locks have been stagnant technology for 50+ years because the remaining risk is managed with insurance/laws/police. You can buy better locks and alarms, but they aren't being widely adopted because insurance (and a risk mitigation attitude) has removed the incentive.

      Twenty years from now what do we want cyber-security to look like? It should still be an ongoing effort, aggressive and widely distributed. Tying the financial costs of Sony's failure to insurance will raise their efforts to a baseline (set by insurance companies) and remove any motivation to do better. In fact, it will *prevent* Sony from doing better security, because they will need to do what the insurance companies have specified and nothing else, lest they interfere with the program specified by the the insurance companies.

      Should insurance companies dictate security? Doctors don't let them dictate treatments because health care is so important and hard to get right. Do you want insurance companies telling you which language to use, which libraries to use, how to log/audit/test/deploy etc...? The insurance companies and financial managers are there to make money, not to create new things or do things better.

      --
      tomorrow who's gonna fuss
  6. Home and car locks by Beryllium+Sphere(tm) · · Score: 3, Insightful

    >Home and Car locks have been stagnant technology for 50+ years

    What? 50 years ago you could hot-wire a car. Today we have immobilizers that won't let the engine start without cryptographic authentication.