VirusBulletin.com: Cyber insurance, is it for you?

This article was published first in Virus Bulletin.

Sorin Mustaca looks at how companies trading online can insure the risks they run.

Throughout its 25 year history, Virus Bulletin has regularly published technical analyses of the latest threats and defensive methods, and will continue to do so (with the material now available free of charge). We will also continue to post thought-provoking opinions from security experts, to encourage debate and discussion.

Today, we publish a guest blog by Sorin Mustaca. Sorin is well known to many in the industry and has regularly written for VB. In this post, he looks at the topic of cyber insurance.

Introduction

If you own a car, you probably have car insurance, and if you own a house, you will have several kinds of insurance against almost any kind of damage that can affect your property – insurance against theft of items in your property, insurance against damage by flood, fire or accidental damage, and so on. Meanwhile, in various professions it is mandatory to have specialized insurance cover to protect customers against damage through negligence or failure to provide the appropriate level of service.

But what about a company’s digital assets? Or the private customer data that is stored by a company? Should they also be insured? And if so, how?

What about security breaches? Should companies that store customer data take out insurance to protect them and their customers against loss of that data?

In this article I will discuss some of the pros and cons of what a cyber-insurance policy might cover. (Note that I am neither an insurance expert nor a lawyer, and I am not in any way involved in the insurance business.)

What is cyber insurance?

With the recent tremendous increase in data breaches, companies are starting to look for insurance products that will cover them in the event of such a breach – to cover the costs of recovery, business interruption, and any losses incurred in case of a law suit. Companies seeking such insurance policies are also driven by an increase in official regulations.

In order to mitigate losses (in this case, to transfer the risk) from cyber incidents and breaches of cyber regulations, the concept of ‘cybersecurity insurance’ (CI) was created more than 10 years ago.

As with any kind of insurance, the company that creates the insurance product must cover certain risks with a specified amount of money. In car insurance, for example, the risks are quite clear and the maximum amount covered is the value of the car. There are also insurance policies that cover the people in the car, but here too a fixed amount of money is usually specified.

In the case of health insurance, an assessment may need to be completed before the insurance policy is drawn up in order to assess the status of the client’s health. Using statistical data, a policy may be sold or denied, and the price of the policy is determined accordingly. Additionally, customers may be offered various benefits if they follow a certain programme which is intended to reduce the customer’s risk and hence the insurer’s future costs. This way, both the client and the insurer benefit.

But how does this apply to cyber risks?

Challenges

A cyber risk can have consequences outside of the immediate area of an event. Let’s consider a breach where the company loses some business opportunities, invests time and resources in investigating and fixing the problems, and has to refund customers that might have been affected. If news of the breach goes public, then there are further factors that will cost the company money, such as loss of reputation.

Let’s start with the most obvious:

  • If customer data gets stolen or destroyed, not only is the company affected, but also its customers. The risk can be measured by analysing statistical data from similar previous events, and the risk can be covered.
  • Loss of reputation is something that can have a long-term impact, and in some cases it can even cause the affected company to go out of business. This is very hard to measure because the process of losing opportunities is a very slow one.

 

Insurers have yet to develop an evidence-based method to assess a company’s cyber-risk profile. This can result in high premiums, low coverage, and broad exclusions of risks.

However, what I like most about many types of insurance is the fact that they motivate clients to act with caution and to take steps to mitigate risk in the area in which they are providing cover. As with health insurance, cyber insurance could become less expensive if the company taking out the policy can prove it follows certain security practices that might reduce the chance of it having to make a claim – for example:

  • Hardening systems, including software patching and updating
  • Installation and running of security systems on all devices (client and servers, including gateways)
  • Having security policies in place (certain password strength, password expiration, blocked USB ports, etc.)
  • Constant use of a vulnerability scanner
  • Network and/or host intrusion prevention systems
  • Backup and contingency plans in place
  • Existence of a product and/or computer incident response team, depending on the company being insured
  • Continuous monitoring of exposed services against suspicious usage (possibly with an application firewall)

But how do the insurance companies assign a price tag to the risks, considering that the business value of the companies they insure can vary widely?

They likely have a coefficient of risk which is independent of the financial value of the risk insured. For example, the website of an online shop has a higher likelihood of being compromised than that of a car dealer. Additionally, there will be a factor which is dependent on the company’s cybersecurity profile. A company that follows many of the security practices listed above is likely to be deemed a much lower risk than a company that does not follow the same security practices.

Together, these two variables can help determine the impact of a certain risk on a company. If you want to know more, the process is known as threat modelling, using a threat risk assessment model.

The real art of the insurance business is putting a price tag on the risk assessment. I don’t expect there to be much science behind this. My expectation is that it is a mixture of analysing old events, experience gathered in other fields, and gut feeling.

I would be interested in learning others’ views on this topic. If you know more about cyber insurance, or have an opinion on the matter, please contact me.


© Copyright 2014 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch