The issue of cyberattack insurance was recently covered in the New York Times. It’s a great read on a number of levels, not the least of which is what a disaster the market is going to be as long as people keep adhering to the status quo.
Insurance works because premiums paid by the insured are always greater than payments made by the insurers. Insurers use actuarial tables – literally reams of documentation assessing the probability of any given event happening to any given person, place or thing anywhere in the world – to decide exactly how they’re going to maintain that ratio. This is a tried and true process that works for life, health and property insurance. Does it work for cyberinsurance?
“[actuaries] could tell you exactly the chance of an office building burning down in Midtown Manhattan, but there isn’t anyone on this planet who could tell you the probability of a large U.S. retailer being hacked tomorrow,”
I don’t know if this is true for every insurance company that issues cyberinsurance policies, but for those I am familiar with, none of them do the kind of due diligence they would do for a health or life insurance policy. When I bought supplemental life insurance a few years ago I got an initial quote based on a verbal description of my health and lifestyle, and that information was promptly confirmed (or in some cases refuted) by a nurse who visited me at my house (needless to say my final quote differed from the one I got initially…don’t judge me).
In the cyber domain the verification and validation of factors that could mitigate risk isn’t done to that same standard. Checking a box on a form because an insured has firewall, IDS, A-V and policies is a compliance exercise, not a validation of security, and we all know what a good fight compliant firms put up against hackers.
Insurers complain about a lack of data upon which to build actuarial tables. But while most attacks go unnoticed or are never reported, we know that most organizations use one of three operating systems. Everyone who connects to the ‘Net uses the same protocols. Increasingly organizations are using one of a handful of cloud providers, whose building blocks are known. I’m not an actuary, but it would not be difficult to hit center-mass with that kind of data.
In order for cyberinsurance to work three things have to change. For starters, insurers need to run their prospective clients through the ringer. The nurse that visited me brought a tape measure, a scale, a sphygmomanometer and an EKG machine. To assess a company’s cybersecurity health insurers need to bring auditors and pen-testers to the table and find out if all those defensive technologies and ‘best practices’ are actually going to mitigate risk to a substantial degree.
Secondly, insurers need to ensure that once the insured are in an acceptable state from a security perspective, they stay that way. How many organizations do you know where prod remains unchanged for years? Months? Weeks? It’s the digital equivalent of a perfectly healthy person getting a life insurance policy and then taking up heroin, BASE jumping and shark taming (not a real thing, but if it was, crazy dangerous).
Finally, both insurers and the insured need to recognize that their focus should be on detection and response, not prevention. While there may not be hundreds of years of actuarial data on digital breaches, anyone who has worked in this field for any length of time knows that the probability of any organization online being hacked is 1. Attackers are getting their job done in days, defenders are not starting theirs for months; this is not a situation that will end well for insurers.
The more precisely and rapidly an organization can detect and remediate threats the less chance that an attacker can accomplish their mission and make off with an organizations valuable data. Compromise? Yes. Data loss? No. This means no expensive clean up (which cyberinsurance covers) and no REALLY expensive losses in revenue, brand loyalty, etc. (which insurance does not cover).
The article closes with a quote from an insurance industry executive who states that “insurers can’t afford not to be in [cyberinsurance].” Absent improvements in risk assessment and a fundamental shift in how organizations deal with threats, I predict the opposite will be true: insurers will soon find out they can’t afford to be in the cyberinsurnace business.