+Comment The UK government last week partnered with 12 insurance companies to develop the "cyber-insurance" market. But experts are split on whether encouraging the development of the nascent market will result in the adoption of improved security practices.
Cabinet Office Minister Francis Maude said that while cyber insurance adds an extra layer of protection for organisations it needed be used in combination with good cyber-security practices more generally in order to get the best results.
More ReadingInsure against a cyberwhat now? How the heck do we crunch those numbers?Lazy FTSE 350 firms think lawyers can fight off cyber-security worriesHad a data breach? Well, SPEAK UP, big biz – ObamaNorthern Ireland website leaves front door open, spills users' dataUK.gov's flagship infosec program ISN'T DELIVERING - but all's still well, say auditors
The government is promoting the growth of the cyber insurance market as a means of improving cyber security risk management. It says the insurance sector can improve good practice by asking the right questions of customers in relation to their cyber breach and operational risk policies.
In your correspondent's opinion, arguing that boosting spending on breach insurance protection improves cyber security is akin to saying that growing the car insurance market will improve road safety.
This is perhaps an imperfect analogy, though - perhaps the deal will marry compliance with insurance as a business-focused answer to manage security risk.
Maude, lead minister in the UK's Cyber Security Strategy programme, co-hosted a summit of 12 CEOs from the UK’s insurance sector together with Marsh, the insurance broker and risk adviser, to discuss how the sector can help support the broader strategy of making the UK among the best places in the world to do e-commerce. There's also the potential that hacker breach insurance might improve the UK's balance-of-payments deficit.
The UK insurance sector is a global leader and a "natural home for a growing international cyber insurance market", according to UK government officials.
The government want to use insurance as a driver for improving cyber security practice in UK businesses – SMEs in particular. A working group has been set up to access the development of the cyber insurance market and report back to the Cabinet Office in April 2015, weeks before the next UK general election.
"Protecting the cyber security of UK businesses is an important part of this government’s long-term economic plan - we want the UK to be one of the most secure places in the world to do business," Maude said a statement. "Cyber insurance does not replace the need for good cyber security practice but is an added protection for businesses in the event of breaches," he added.
Mark Weil, chief exec of Marsh UK & Ireland, said: "As recent network attacks and data breaches have demonstrated, cyber security events can quickly accumulate significant costs, inflict reputational damage, and undermine investor confidence. A massive data breach will invite litigation, generate regulatory fines, and instigate law enforcement investigations.
"Companies should be assessing their vulnerability to cyber attack and taking advantage of risk management and insurance solutions to mitigate the potential for these events to harm their business," he added.
Brian Honan, an infosec consultant who founded and heads up the Republic of Ireland's Computer Security Incident Response Team, said insurance firms are experts in risk management and therefore bring in an expertise that is sometimes missing in the field of information security.
"While insurance will not directly prevent you from suffering a security breach, it will help focus management attention to the need to invest in better cyber security," Honan told l Reg. "One of the key weaknesses and immature areas we have in cyber security is the lack of accurate metrics on security breaches and disciplined risk management. Insurance companies are masters in risk management and have been for a long time, this is a discipline they will bring to bear on our industry."
So... HOW MUCH is it going to cost?
Working out suitable premiums when breach loss figures are often guesstimates is among the biggest challenges insurance against security breach providers will face.
Security consultant Rodrigo Bijou wondered: "How can an actuary estimate incident response times [and] costs associated when disclosure is a complete shitshow?"
Bijou added that one the biggest problems in this area is that everyone acknowledges that breaches often result in the leak of intellectual property but nobody knows how great a financial loss this represents.
Max Perkins, an underwriter at insurance firm Beazley’s technology, media and business services team, explained the insurance industry is the process of developing pricing models for the nascent industry. "Cyber insurance pricing was initially driven by market influences such as cost of capacity, supply, and demand," Perkins told El Reg. "As breaches occur, insurers are able to analyse the data points to build more robust models."
Other interested observers, such as representatives of training and certification body ISC(2), argued practices from other areas of insurance could be applied to setting premium for breach insurance.
How can an actuary estimate incident response times [and] costs associated when disclosure is a complete shitshow?
"Start high, track payouts and adjust? How do they insure other high impact/low likelihood events? Eg.Natural disasters"
One, er, illuminating historical analogy for breach insurance could be fire insurance, and its role in developing and fostering adoption of building codes. The cyber insurance market could help foster widespread adoption of sound risk management practices across the industry in a similar way that fire insurance helped drive adherence to safer building codes and fire prevention practices.
Loss assessment is an issue for the development of cyber insurance but not perhaps an insurmountable one, according to Honan.
"In order to calculate risk and premiums the insurance companies will also need good statistics on security breaches, their costs to the businesses, and the root causes of those breaches, Honan told l Reg. Again, this is information that is not widely shared in the industry but by engaging with insurance companies businesses will have to disclose this information which in turn should enable us to identify trends and issues regarding security that companies need to address," Honan concluded.
Ross Brewer, vice president and managing director for international markets at security tools firm LogRhythm, said the collaboration between the financial services sector and the government to promote cyber security insurance made sense since it will not only "raise awareness of the issue, but also ensure damage is limited."
“While cyber insurance has been around for a while, the market has been relatively slow to take off," Brewer explained. "However, as cyber criminals become more sophisticated and we realise the inevitability of attack, it makes sense that businesses would want to have the greatest level of protection as the aftermath of a serious breach could be akin to a large-scale burglary. For insurers it’s not surprising they would want to capitalise on this modern risk facing UK businesses, and working with the government only provides a greater opportunity to get the word out there."
However some security experts expressed concerns that an insurance safety net might engender complacency among some companies.
Rather than boosting cyber security, hack insurance protection could have the opposite effect, promoting a: "We're insured, don't worry about securing that" scenario, security consultant Paul Moore warned.
Honan echoed this point: "My concern though would be many companies may take the option to invest in a cyber security policy with the view that any costs incurred from a security breach would be covered rather than investing properly in securing their systems to prevent breaches occurring in the first place.
Two-thirds of senior business executives expect to suffer a security breach, according to a survey of international business leaders. Breaches are expected to result in an average drop in revenues of about eight per cent, according to a poll of 800 senior business decision-makers sponsored by NTT Com Security.
Despite the tangible threat of security breaches, only 44 per cent of business leaders had taken steps to secure all of what they consider to be their business-critical data and only 47 per cent had a recovery plan in place.
Nearly three-quarters (72 per cent) of senior execs polled believe it is vital that their organisation is insured for data security breaches, but only half (54 per cent) admit their company insurance currently covers the financial impact of both data loss and a security breach. Most senior executives fail to recognise the long-term damage that a data breach might have on their business, according to NTT which polled business leaders (not in an IT role) in Australia, France, Germany, Hong Kong, Norway, Sweden, UK and US.
The NTT study discovered that cyber insurance covered the financial impact of data loss or a data security breach as standard with other factors also covered, depending on the terms of the policy. Other factors that might be covered included legal costs, regulatory fines, loss of business, remediation, loss of customers and government fines.
Cybercrime as a relatively new form of commercial risk and a market that is still evolving with a lack of brokers and insurers with the relevant skills and knowledge. As a result, cyber insurance can be ambiguous with examples of insurers failing to pay out based on small print and complex policy interpretation.
NTT said the growing market still offers business benefits but needs to be approached carefully. Organisations need to understand the context and put necessary controls, processes and operations in place. It's only then they can look at the gaps, which enables them to tell insurers what risk controls and risk exposures there are in the business.
Garry Sidaway, senior vice president of Security Strategy & Alliances at NTT Com Security, said its report shows businesses increasingly value their data even though they don't necessarily understand risks to critical information posed by security breaches until disaster strikes. Sidaway said: "Unfortunately, security at the board level still tends be associated with data protection and compliance, when in fact securing data properly is absolutely critical to enabling businesses to thrive and survive. There’s also a growing disconnect between the cost of breaches and the importance that organisations place on IT security to drive these costs down."
Using cyber-insurance as a means of managing the risk of hacker attacks was earlier suggested by Michael Daniel, one of US President Obama's top cybersecurity advisers last year.
The US market for cyber insurance was already established even back then, according to industry experts.
"The involvement of the big insurance players, covering big companies against potentially massive losses, is steadily transforming it into a major business though. It's already raking in an estimated $1.3 billion per year in the US, with the rest of the world lagging some way behind," notes John Hawes in a post on Sophos's Naked Security blog.
"The cybersecurity insurance market is relatively new and undeveloped, according to a study last year from consulants Cap Gemini. Although we started seeing insurance against infection thrown in with some AV products several years ago, this was little more than a gimmick and never really took off."
No claims bonus
Mark Brown, executive director of cyber security and resilience at management consultancy EY, argued that the cyber security insurance market would work better if it incentivised firms to achieve compliance with industry standards via reduced premiums. Without this security insurance risks becoming a safety net for the feckless, according to Brown.
“Many firms are now focussing on how they protect against the consequential financial impacts of a cyber incident and are turning to insurance as a mechanism to alleviate risk," Brown said. "However, whilst insurance offers financial protection to businesses, it does not incentivise businesses to invest in enhancing their Cyber Security defences. Consideration should be given to rewarding those businesses who can demonstrate effective Cyber Security through certification schemes such as the Cyber Essentials.
“Those organisations that show high levels of effective cyber security should be rewarded through options such as insurance premium reduction. This would align to steps taken by insurers offering protection against wider business interruption and ensure that such risks were being appropriately managed by businesses and not just managed through insurance coverage.”
LogRhythm's Brewer argued businesses must see insurance as a safety net, and not as a security tool.
"Just as you wouldn’t forgo your fire alarm when you purchase contents insurance for your house, organisations must not do the same with their defensive security measures," he said. "Protective monitoring and security intelligence should be the go-to strategy throughout organisations, as it provides the most granular view into all network activity. This ensures that anything untoward can be immediately identified and stopped in its tracks before any lasting damage is done – or big insurance payouts are required." ®