Posted by Virus Bulletin on Aug 14, 2014
Sorin Mustaca looks at how companies trading online can insure the risks they run.
Throughout its 25 year history, Virus Bulletin has regularly published technical analyses of the latest threats and defensive methods, and will continue to do so (with the material now available free of charge). We will also continue to post thought-provoking opinions from security experts, to encourage debate and discussion.
Today, we publish a guest blog by Sorin Mustaca. Sorin is well known to many in the industry and has regularly written for VB. In this post, he looks at the topic of cyber insurance.
If you own a car, you probably have car insurance, and if you own a house, you will have several kinds of insurance against almost any kind of damage that can affect your property - insurance against theft of items in your property, insurance against damage by flood, fire or accidental damage, and so on. Meanwhile, in various professions it is mandatory to have specialized insurance cover to protect customers against damage through negligence or failure to provide the appropriate level of service.
But what about a company's digital assets? Or the private customer data that is stored by a company? Should they also be insured? And if so, how?
What about security breaches? Should companies that store customer data take out insurance to protect them and their customers against loss of that data?
In this article I will discuss some of the pros and cons of what a cyber-insurance policy might cover. (Note that I am neither an insurance expert nor a lawyer, and I am not in any way involved in the insurance business.)
With the recent tremendous increase in data breaches, companies are starting to look for insurance products that will cover them in the event of such a breach - to cover the costs of recovery, business interruption, and any losses incurred in case of a law suit. Companies seeking such insurance policies are also driven by an increase in official regulations.
In order to mitigate losses (in this case, to transfer the risk) from cyber incidents and breaches of cyber regulations, the concept of 'cybersecurity insurance' (CI) was created more than 10 years ago.
As with any kind of insurance, the company that creates the insurance product must cover certain risks with a specified amount of money. In car insurance, for example, the risks are quite clear and the maximum amount covered is the value of the car. There are also insurance policies that cover the people in the car, but here too a fixed amount of money is usually specified.
In the case of health insurance, an assessment may need to be completed before the insurance policy is drawn up in order to assess the status of the client's health. Using statistical data, a policy may be sold or denied, and the price of the policy is determined accordingly. Additionally, customers may be offered various benefits if they follow a certain programme which is intended to reduce the customer's risk and hence the insurer's future costs. This way, both the client and the insurer benefit.
But how does this apply to cyber risks?
A cyber risk can have consequences outside of the immediate area of an event. Let's consider a breach where the company loses some business opportunities, invests time and resources in investigating and fixing the problems, and has to refund customers that might have been affected. If news of the breach goes public, then there are further factors that will cost the company money, such as loss of reputation.
Let's start with the most obvious:
Insurers have yet to develop an evidence-based method to assess a company's cyber-risk profile. This can result in high premiums, low coverage, and broad exclusions of risks.
However, what I like most about many types of insurance is the fact that they motivate clients to act with caution and to take steps to mitigate risk in the area in which they are providing cover. As with health insurance, cyber insurance could become less expensive if the company taking out the policy can prove it follows certain security practices that might reduce the chance of it having to make a claim - for example:
But how do the insurance companies assign a price tag to the risks, considering that the business value of the companies they insure can vary widely?
They likely have a coefficient of risk which is independent of the financial value of the risk insured. For example, the website of an online shop has a higher likelihood of being compromised than that of a car dealer. Additionally, there will be a factor which is dependent on the company's cybersecurity profile. A company that follows many of the security practices listed above is likely to be deemed a much lower risk than a company that does not follow the same security practices.
Together, these two variables can help determine the impact of a certain risk on a company. If you want to know more, the process is known as threat modelling, using a threat risk assessment model.
The real art of the insurance business is putting a price tag on the risk assessment. I don't expect there to be much science behind this. My expectation is that it is a mixture of analysing old events, experience gathered in other fields, and gut feeling.
I would be interested in learning others' views on this topic. If you know more about cyber insurance, or have an opinion on the matter, please contact me.
Do you have a clear opinion on a topic in information security? Is the industry doing it all wrong, or do we simply need to learn about a new topic? We're always looking for security researchers to share their thoughts with a broad security audience. Please get in touch if you're interested in sharing your opinion with VB's audience!
Posted on 14 August 2014 by Virus Bulletin