The head of a UK industry insurance organisation has called for the government to create a database where companies would be obliged to “record details of cyber attacks”.
Insurers are struggling to assess premiums for newly introduced cyber insurance policies in the absence of background info, according to the head of the Association of British Insurers (ABI). Insufficient data was inhibiting the growth of the industry.
More ReadingPressure mounts against Rule 41 – the FBI's power to hack Tor, VPN users on sightMiscreants demand Bitcoins to stay silent on 'dirty secrets' of Tumblr, LinkedIn hack victimsPayments security mob updates app guideVXer group ramps up malware to attack Indian embassiesUK.biz is still clueless at fending off malware attacks, says survey
“We have 350 years of fire data and 100 years of motor and aviation data, but we have just a few years of cyber data,” Huw Evans, director general of the ABI told the Financial Times (story here, registration required). “How do you build a business model in such a data light environment? Nothing scares an insurer more than a lack of data.”
The upcoming European Network Information Security Directive will makes it mandatory that certain organisations providing essential services - energy, transport, health, and banking – to rapidly notify authorities about breaches or else run the risk of fines or sanctions from 2018 onwards. The ABI wants to oblige other industries to provide the same sort of data in a form that would be ”anonymised and made accessible to insurers”. Such a regime would need parliamentary legislation, a potential stumbling block the ABI boss is keen to downplay.
“It would have to be mandated by parliament, but it would need to be proportionate and manageable,” according to Evans.
The database ought to include some details of the company that had suffered a security incident, the type of attack and the damage caused, including clean up costs.
“We’d like to see a not for profit, anonymised database covering things like business interruption costs, ransom demands, privacy breach claims and damage to IT systems,” Evans concluded.
Although breaches against big UK organisation such as TalkTalk and JD Wetherspoon have dominated the headlines they happen against a constant background noise of malware infections and hacking attacks that affect business large and small, as well as public sector organisations. Calculating the cost of breaches has long been an inexact science at best.
Part of the reason is that early estimates tend to come from security vendors who have a vested interest in talking up losses. Actual losses on the balance sheet of compromised firms tend to come in months or years later, often at a lot less than first estimates might suggest.
About the best guide is Verizon’s annual data breach report but that mainly covers trends rather than costs.
Third party, fire and hackers
Cyber liability insurance can include cover for data/privacy breaches, extortion liability and network security losses. Businesses in the US are most likely to have this type of insurance – 51 per cent compared to just 26 per cent in the UK - according to a recent study by NTT Com Security. The same study found that coverage was sometimes more patchy that contracting organisation thought.
Less than half (41 per cent) of 1,000 global organisations quizzed in a survey are fully covered for both security breaches and data loss and just over a third have dedicated cybersecurity insurance.
Two years ago the-then coalition UK government partnered with 12 insurance companies to develop the "cyber-insurance" market. Experts were split at the time on whether encouraging the development of the nascent market will result in the adoption of improved security practices.
The appliance of compliance
US breach disclosure rules vary from state to state but are generally tougher than those in Europe and often require reports to customers as well as regulators in the case of breaches. As in other aspects of security, cyber insurance is partly driven by compliance concerns (PCI for retailers, Sarbannes-Oxley, HIPA etc.)
Some industries, such as banking, already exchange threat data between peers but this remains the exception rather than the rule. The FT reports that this co-operation is being extended through a pilot programme from European Central Bank to collect and collate data on cyber incidents from 18 of the Eurozone’s largest banks. ®