Slashdot Mirror
Ask Slashdot: Cyber Insurance. Solution Or Snake Oil?
onehitwonder writes "A recent article in The Wall Street Journal's CIO Journal argues in favor of the benefits of cyber liability insurance — policies designed to help companies cover costs they incur in the aftermath of data breaches (whether for investigation, remediation, customer notification, regulatory fines or legal settlements). Two Deloitte consultants interviewed for the article argue that cyber insurance can help companies offset the increasingly staggering costs of a data breach. (Several of the biggest data breaches in recent history, including Heartland and TJX, have cost those companies hundreds of millions of dollars. A Mizuho Investors Securities analyst estimated the total cost of the 2011 Sony data breaches at $1.25 billion.) The question is: will insurance providers really come through when companies begin filing claims on their cyber liability policies, or will they find ways out? A 2011 article from Computerworld notes that even though a growing number of companies have been purchasing cyber insurance, it's hard to find examples where one of those policies has actually covered the costs of a data breach. Moreover, the Computerworld article points out that many cyber insurance policies cover only the cost of re-creating whatever data may have been lost during the breach — not notification costs, legal costs or other related expenses."
Insurance companies *always* try to find a way out. That's their job; protect their bottom line.
If you don't get too screwed, they'll probably pay out, just because it improves their reputation enough to improve their bottom line.
Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!
---jstlook ---For that is the way of Elves, for they say both yes AND no, and mean every word of it. --- J.R.R.T.
Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!
That is in effect the essential idea of insurance. Its a wager. Clearly it only works if more money gets taken from "losers" than gets paid to "winners."
"His name was James Damore."
When you look at the various data breeches that became public in the more recent past (especially those done as some kind of protest or out of spite, to harm a company in its goodwill) and analyze the attack vector, you cannot help but shake your head in disbelief. The vectors range from SQL injections to exploits in ancient software that should have been patched months, if not years ago. If that isn't the textbook example of negligence, what is?
Still, I'm all FOR insurance. Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk. If you invest in security, your insurance premium would be lower, and we might FINALLY see some CEOs invest in security since now they can see that it's cheaper than paying for the insurance, since they're blind to the fact that it's cheaper than paying for the fallout.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Might as well buy a lottery ticket instead!
I have found great benefit in replacing the word "cyber" with the word "medieval" whenever I'm asked to evaluate things like this. It's fairly easy to do with a quick search and replace.
I would hope that a company that takes reasonable steps to secure data is not liable for leaks. But if the leak is an exploit of software that is not open to study by the public then the creator of the software should bear the expenses involved. Open code should relieve liabilities.
And here is a great article from researcher Rainer Bohme that explains why it's hard. It's a fairly technical paper, but one big issue is that insurance companies operate on a reserve that assumes catastrophic events are bounded, perhaps by region. That's not the case with correlated cyber-risks. This is explained in Section 3.
How do these companies arrive at hundreds of million/billion dollars worth of "damages" anyway? Is this using the MPAA/RIAA method of accounting? Do they have to shut down the entire company for a week? Seriously, did absolutely no one make a recent backup of the databases? Do they have to replace all the computer equipment? Are the IT people so expensive? Where does the figure come from?
Seven puppies were harmed during the making of this post.
I am leaning more towards snake oil, but it might be a good thing. I have often had doubts about the monetary damages claimed in outages/leaks/data theft. Insurance companies providing other types of insurance don't just pay out claims because you said something was valuable, but want some supporting evidence of the value of the claim. Maybe the companies filing claims against their "cyber insurance" policy will have a hard time justifying it, and we will stop seeing exaggerated claims. The reason I say it is probable more likely snake oil is it is pretty hard to put a value on damage to customer trust that can occur when information like credit card numbers is stolen. Does "cyber insurance" cover lost sales?
Frankly when you are talking about something that can cost over 100 million if you are a big company and get hacked? hell you might as well use the monthly premiums for blackjack because you KNOW they'll just file bankruptcy if you try to cash it in.
The simple fact of the matter is the ONLY way insurance works is if there are enough buyers to 1.- pay out any losses and 2.- if its a publicly traded company pay for the ever higher profits they have to show to keep the stocks from tanking. When you are talking about a niche THIS teeny tiny? I'm sorry but insurance just won't work, there won't be enough paying into the pool to cover losses, instead they'll just file bankruptcy if you try to make a claim large enough to make the insurance worth having.
ACs don't waste your time replying, your posts are never seen by me.
Ways out:
- We took the money and ran, your coverage is void.
- You failed to adequately protect your network, your coverage is void.
- You angered nerds, you brought this on yourself, your coverage is void.
many cyber insurance policies cover only the cost of re-creating whatever data may have been lost during the breach — not notification costs, legal costs or other related expenses."
Data loss in a security breach usually and normally refers to the data that was exfiltrated or successfully leaked by an attacker. For example: Data Loss Protection software is designed to detect attempts to send personally identifiable information such as social security numbers over e-mail or upload it out of the company LAN.
As for recreating sabotaged or destroyed data; that is not always possible, but It's supposed to be part of the backups. A good insurer should compensate for the financial loss resulting from the destroyed data, not attempting to pay for what it will take to recreate it.
Assuming its data that could be recreated, by the time its recreated; it may be worthless, because the time requirement allowed a competitor to get ahead and get the patent filings done first.
So it's reasonable to assume that they will impose more effective and more thorough security standards than companies would otherwise do. Just think about fire hazards. Most companies I know of implement fire prevention measures, install firefighting equipment, and conduct fire drills because they are obligated to do so by law or by their insurance company. Not because they feel any special responsibility towards their employees, their neighbours, or society at large.
The flip side of the coin however is that there is little incentive to go one step further than they are obligated to. In other words: what matters isn't whether there is a risk, but whether it's covered. And besides, insurance companies care only about the *financial* damage, i.e. the amount of the claim. To begin with, they will demand that companies they insure limit the potential damage through contract negotiations, terms of use etc.. That potentially leaves a window open for painful security breaches that nonetheless carry little financial consequences.
I'm not sure how that will play out, but given the history of the past 5-10 years compulsory safety standards do seem needed.
Just a hunch, but, maybe people should check to see if these "insurance" companies are allowed to operate in their state before getting happy with the checkbook.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
We buy insurance to hedge against a major problem. House on fire, theft, car accident, floods, law suites... For the most part stuff you normally don't want to happen to you. The Insurance company job is to cover you in case of the problem.
Now they can't operate without making money, and they are for profit. So they will try to make sure they will make their money on the whole. They do this by charging a fee for service. Now the cost of the fee per service needs to be high enough to cover your probability that a problem will occur. So say there is a 1 out of a 100 chance that you will suffer a $100 claim. They will need to charge you at least $1, but that is rather unreasonable because the company has its own expenses, people to manage your claims, you account, payroll, building expenses... etc... Also you expect that they want to make a profit of at least 20%. So you will probably be paying $3 for insurance.
Now there is a lot of competition out there. So they are pressured to keep their prices down. Because their prices need to be competitive there isn't much room to be generous. So for your $100 claim. (say your cheap Cell phone got stolen) the insurance company may state because you had your $100 phone for a year its deprecated cost is $50, and they will only give you $50 for it, figuring you can get a used phone off ebay, or take the money and just use it as part of buying a new phone, figuring you would have bought a new phone within the next year.
You as the customer would feel scammed because while your phone may be worth $50, in terms of technology. It had your contacts on it and your favorite ringtone, and perhaps it has some more meaning to you.
In short if you want full coverage you will need to pay more. If you want cheap expect to get corners cut.
That said, going cheap may still be an option, as this accident may never happen, and you would be better off. Also getting the partial claim, plus the money saved on lower rates may make it better. They account for this stuff too.
Now you could in essence get a loan in place of insurance. However the loan price is based on a 100% chance you will get an accident. So for a Home loan you will be paying 100% your mortgage vs paying 15% of your mortgage. Or you can suffer the consequences of not having insurance. I don't pay for extra insurance on my phone myself. If it gets lost or stolen, then I will loose and need to get a new product. But I can deal with it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Take fire insurance for example. A fire that happens in say Miami, FL is most likely not going to increase the risk of a fire occurring in Seattle, WA. Therefore a fire insurance company can make sure that the clients they select are geographically distributed to distribute the risk AND minimize the risk correlation.
In contrast, Cyber Insurance is somewhat unique from typical insurance because there is an inherent correlated risk that you run into regardless of how and where you choose your clients. Most clients run the same OS (Windows) and use the same software and AV packages. Therefore, a data breach that occurs with one client can mean other clients can be at immediate risk to also have a data breach
So what can happen is that a cyber insurance company can end up needing to pay out more money than they collect because breaches can happen concurrently or consecutively.
Anti-virus companies have been found to use scare tactics. And there would have to be such payout conditions that eliminate payouts for faulty IT work that contributed to a breach.
What we make we can break.... And since breaking would be a real easy thing to do...... I believe its called insurance fraud..... But here its a how easy is it to do and get away with? And then there are losses that cannot be recovered, once exposed to the public.
And where are the insurance companies going to get the payout money, ibn teh event of a wide spread breach..... as the NSA leaks suggest.... The NSA is an organization of committing breaches.
Windows user pay higher premiums, but at this point it could qualify as willful negligence. Sure the system may have come with Windows but that's no excuse not to clean it off before connecting to the net.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Private insurance companies are not in business to benefit policyholders, but to enrich shareholders and executives. The companies in jeopardy would be wise to form a cooperative to attend their indemnification needs. Call it open sourced insuring.
I am not a fan of insurance in general. In essence, you are betting against yourself. For the case of this article, why don't you take the money you pay in insurance premiums and invest it in securing your systems... Seems like a better bet to me.
For starters, the 1.25 Billion estimate of Sony's lost is pure bullshit.
Even the TJX numbers are not likely a realistic representation. If you go back and review their stock price in the time frames which the breach was announced and subsequent news was released, a small hit seemed to occur, but it did not have a long term impact. The sad reality is that their security efforts were a joke, and yes it costs them, but quite likely not more than it would have cost them to have put forth a considerable effort on security in the first place.
Where things could get interesting would be if companies were legally held liable for failures to secure information of others which they opted to hold. Make the cat painful, to the point where the impact could shake even a very strong company. This would force a real discussion in board rooms, is the default behavior of trying to capture everything on everyone really in the best interest of the company? Should we dump info we do not have a use for? Should we limit what we gather in the first place?
If this were the starting point, then insurance could be interesting. Once a company has completed their first level pruning, then insurance could be sought. The insurance company would then insist to know what data you have? Where is this data? Who has access? How is it defended? Then they could set a rate based on the risk and the liability cost faced by stepped up legislation. In most cases this quote would be high, very high, which should be the tip of that a company should then prune more data, reduce access, and improve security, thus hopefully getting the company to a reasonable position that they should have been with at the begging, but have not been because it was not in their financial interest to do so.
Law of diminishing returns. There are a few good journal papers looking at the optimum investments into IS from game theoric and other modeled approaches In short: at some point the economic investment of continued improvement is offset by the likelihood of that vulnerability being exploited. At that point if the risk is still above an acceptable level your only real option is transference.
The point of insurance is to cover potential expenses that you cannot cover yourself by joining a risk sharing pool.
If somebody at WalMart offers to sell you a $20 insurance policy on a $100 bike, then you're a fool to take it because you can cover the $100 yourself.
If you can't cover the cost of rebuilding your $200,000 house out-of-pocket, then you better have fire insurance on it.
Those things aside, insurance creates an incentive to do good things. If you have smoke detectors and fire extinguishers in your house, then you get a discount. If you have a sprinkler system you get a much bigger discount, but most people don't have the means to add a sprinkler system and they carry other risks, so that's less common.
But in the case of 'cyber insurance' a good insurance company would look to see that machines are patched, that good security practices are followed, and probably would do an outside scan once in a while to verify their risk. That's the kind of system that leads to better behaviors across the board.
If the insurance companies are corrupt, then we have a separate reputation-monitoring problem (I believe we do).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Most cyber insurance policies require auditable security system in place. They will audit it after the incident and they usually will find reasons not to pay if you have never done external security audit and if CEO thinks that security is IT job.
so in other words, insurance motivates you to do things you should do anyway. And for the privilege of this knowledge you get to pay them less. The other alternative is to do these things anyway.... Yes I know that, in theory, insurance can be a way to balance risk over a wider group. However, much modern insurance is a money grabbing scam. Most people are way over insured, and pay more in premiums that the realistic risk.
That is in effect the essential idea of insurance. Its a wager. Clearly it only works if more money gets taken from "losers" than gets paid to "winners."
If it were merely that, insurance companies would be a nearly honest business, like bookies or casinos...
The trouble is not so much that, for insurance to be something worth offering, the sum paid in (by all subscribers) must be greater than the sum paid out (to parties who end up making claims); but that insurers are...talented and creative... when it comes to reducing both the number of eligible claimants and the size of eligible claims. At least in ordinary gambling, the rules of the game are generally fixed and relatively simple.
In this case, the assignment of 'damages' numbers to intrusion incidents is so absurdly vague that there is absolutely no way in hell I'd dare go up against an insurance outfit. Sure, when it comes time for some prosecutin', you hear that "it cost eleventy-zillion dollars when Anonymous defaced Sony"; but your insurer won't be using DEA math when it comes time to pay up.
That's what re-insurance is for, they insure the insurance company in case there are too many pay outs for them to remain insolvent.
What's more, insurance is typically regulated, which means that there are limitations on when they can refuse a claim. In most cases they have to pay out, provided the incident is covered and unless they have evidence of insurance fraud.
In practice, they'll usually pay unless there's flagrant fraud going on, but if the incident shouldn't have been covered, they'll often times just cancel the policy afterwards and not cover you in the future.
I get that people like to hate insurance companies, but they're not as scummy as you seem to think. They do make a profit, but I'm not sure how an insurance company could remain soluble if it were paying out more than it was taking in from premiums.
No system is 100% secure or safe, insurance takes a fee to pay for the repairs or lawsuits if something that you can't prevent happens. For instance, auto insurance often times covers uninsured motorists that crash into you due to their negligence. Sure, you can sue them, but a person like that might not have sufficient assets to pay reparations for the damage. And if they die, the estate may not have sufficient cash to pay off any claims. In terms of crackers, even if you do manage to catch them, how many of these people have the millions of dollars that would be required to fix the damage they've caused?
I disagree with the notion that most people are over insured. How much insurance you should have really depends upon how the specifics of your situation. Only a third of renters have renter's insurance and few people seem to have flood or earthquake insurance, even in areas where that's relevant.
Bottom line is that unless you've got sufficient cash or easily ligidated assets, to cover the damages, then you're going to need insurance. But, more than that, insurance companies provide things like access to attorneys when they come up. For instance, around here auto insurance companies are legally required to put up a vigorous defense if you're sued while on the road.
1. Perform Audit
2. Mitigate where possible
3. Insure the rest
I think you and I disagree on a fundamental point.
You feel that disasters happen, and that you should be prepared (by having insurance)
I feel that disasters are rare. Most (not all) disasters are also avoidable IMNSHO.
As an example, my car has been broken into twice in the last 15 years. (my car is very easily broken into...) On the first occasion, they got a laptop and some other stuff, on the second occasion they got about $5.00 in parking change. Let's say the two thieves got away with $1000 in goods and $500 in damage (I am probably being generous...). So $1500 in 15 years, or $100 per year. I pay way more than that in insurance. Oh, and insurance did not cover any of the expenses. I could have fought it, but the deductible was $200, and my rates would have gone up. How is this a good idea for me again?
He should have read the fine print. Also, I find this highly improbable. My insurance has a similar clause in it for when I go to a different hospital that they don't have a contract with. They still have to pay, it's just that I have to get authorization and I might have to be moved to a different hospital. I'd have contacted the insurance commissioner, because that doesn't sound legal.
As for the casino analogy, that's a stretch. Insurance is there to put you back where you would have been had you not resulted the misfortune. It's not to make people rich. What's more, casinos have rules and they're generally available, a casino has to post the pay schedule for those machines and stick to it, provided there's nothing wrong with the machine.
The point of insurance is to cover potential expenses that you cannot cover yourself by joining a risk sharing pool.
Tell that to health insurance in America.
The kind of insurance that you are talking about (classic catastrophic coverage) isnt enough to avoid new federal fines for not being insured enough. You must "share the risk" of things like yearly checkups, too.
"His name was James Damore."
Not really. People who treat insurance that way don't understand insurance. The point of insurance isn't to win some sort of lottery. On average, you will pay more for your insurance premium than you will for your claims. What insurance does is let you take an existing, expensive risk, and ameliorate it over time.
Take home insurance. Say your home and contents is worth $100,000. The existing risk is that if your house burns down, you're up for a $100,000 bill to replace everything. Say the premiums for your home insurance are $110,000 over your lifetime. Bad deal, right? You'll lose $10,00 dollars. You might as well self-insure - put what you would pay in premiums aside, and use them to fund reconstruction if the worst happens. Except that the fire could happen in the first year of your insurance, in which case you've only got $2000 set aside. You're pretty much screwed. Unless you have insurance.
If you expect enough money on-hand to replace the insured item at any given time, and if using it is not going to significantly impact you, you shouldn't get insurance - you're almost always better off self-insuring. That's one of the many reasons those "extended warranty" things on consumer appliances are a massive rip-off. But for high-expense risks (say, hitting someone with your car and being up for their medial bill, or home insurance), unless you're very wealthy, insurance can be a wise decision.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
I will gladly offer them insurance for only $1 million dollars a year, policy is null and void if your network is found to be insufficiently secured, as evidenced by a successful intrusion attempt.
If you are not allowed to question your government then the government has answered your question.
And I'll tell you like I tell the insurance scammer, "Stick that fine print up your ass" because if you need a fucking lawyer because you've made it such a damned legal nightmare? Then screw you, your business should be banned by the government for being a scam.
And the sad part is YOU KNOW its a scam, don't try to tell me you don't, because if it wasn't a fucking scam you wouldn't need 40 pages of fine print to hide all the fucking gotchas in! You'd just make a simple easy to read contract and be done with it, but noooo, you have to put an assload of fine print so people THINK they are getting one thing and in reality getting another, to me that is a textbook definition of a scam and the contracts and insurance weasels can all be thrown in a fire, make the world a better place.
ACs don't waste your time replying, your posts are never seen by me.
Right, and you don't understand insurance. And you also don't understand basic statistics. It doesn't really matter if it's a 1 in a million risk if ultimately it does happen and you lose your house over it. That's where insurance comes in handy. The insurers have actuaries that estimate the likelihood of the event happening and the price tag if it does happen. And they're surprisingly good. They might not know exactly what your risks are, but they're pretty good.
Insurance isn't really there for things you can easily save for. It's for times like when your house burns down or when somebody steals your car. Of course, claiming on something that's barely over the deductible is going to cost more than what it's worth. But, what about the other things that they cover, like liability if you cause a crash or if your parking brake fails and your care rolls off and kills somebody?
It's up to you whether or not you want to have insurance, but part of being a responsible member of society is having the ability to pay for any damages that you cause in some fashion. For most people, insurance is the most realistic way of doing so.
Then again, you're one of those assholes that thinks that nothing bad ever happens if you're careful. I Hope you never cause any damages to anybody other than yourself.
Apparently, to actually be covered you need insurance insurance and insurance insurance insurance.