Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Cyber Insurance. Solution Or Snake Oil?

Soulskill posted about a year ago | from the don't-fix-it-just-insure dept.

Security 71

onehitwonder writes "A recent article in The Wall Street Journal's CIO Journal argues in favor of the benefits of cyber liability insurance — policies designed to help companies cover costs they incur in the aftermath of data breaches (whether for investigation, remediation, customer notification, regulatory fines or legal settlements). Two Deloitte consultants interviewed for the article argue that cyber insurance can help companies offset the increasingly staggering costs of a data breach. (Several of the biggest data breaches in recent history, including Heartland and TJX, have cost those companies hundreds of millions of dollars. A Mizuho Investors Securities analyst estimated the total cost of the 2011 Sony data breaches at $1.25 billion.) The question is: will insurance providers really come through when companies begin filing claims on their cyber liability policies, or will they find ways out? A 2011 article from Computerworld notes that even though a growing number of companies have been purchasing cyber insurance, it's hard to find examples where one of those policies has actually covered the costs of a data breach. Moreover, the Computerworld article points out that many cyber insurance policies cover only the cost of re-creating whatever data may have been lost during the breach — not notification costs, legal costs or other related expenses."

cancel ×

71 comments

Sorry! There are no comments related to the filter you selected.

Really? That's a question? (2)

Jstlook (1193309) | about a year ago | (#44469005)

Insurance companies *always* try to find a way out. That's their job; protect their bottom line.

If you don't get too screwed, they'll probably pay out, just because it improves their reputation enough to improve their bottom line.

Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!

Re:Really? That's a question? (3, Informative)

Rockoon (1252108) | about a year ago | (#44469031)

Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!

That is in effect the essential idea of insurance. Its a wager. Clearly it only works if more money gets taken from "losers" than gets paid to "winners."

Re:Really? That's a question? (1)

Anonymous Coward | about a year ago | (#44469043)

Might as well buy a lottery ticket instead!

Re:Really? That's a question? (1)

hairyfeet (841228) | about a year ago | (#44469189)

Frankly when you are talking about something that can cost over 100 million if you are a big company and get hacked? hell you might as well use the monthly premiums for blackjack because you KNOW they'll just file bankruptcy if you try to cash it in.

The simple fact of the matter is the ONLY way insurance works is if there are enough buyers to 1.- pay out any losses and 2.- if its a publicly traded company pay for the ever higher profits they have to show to keep the stocks from tanking. When you are talking about a niche THIS teeny tiny? I'm sorry but insurance just won't work, there won't be enough paying into the pool to cover losses, instead they'll just file bankruptcy if you try to make a claim large enough to make the insurance worth having.

Re:Really? That's a question? (1)

hedwards (940851) | about a year ago | (#44470553)

That's what re-insurance is for, they insure the insurance company in case there are too many pay outs for them to remain insolvent.

What's more, insurance is typically regulated, which means that there are limitations on when they can refuse a claim. In most cases they have to pay out, provided the incident is covered and unless they have evidence of insurance fraud.

In practice, they'll usually pay unless there's flagrant fraud going on, but if the incident shouldn't have been covered, they'll often times just cancel the policy afterwards and not cover you in the future.

I get that people like to hate insurance companies, but they're not as scummy as you seem to think. They do make a profit, but I'm not sure how an insurance company could remain soluble if it were paying out more than it was taking in from premiums.

Re:Really? That's a question? (0)

Anonymous Coward | about a year ago | (#44470731)

The reason that most people hate insurance companies is that their coverage doesn't cover things that you think it should. For example, my brother's super cheap health insurance once denied his trip to the ER because he had to provide them notice of any visit to a medical professional other than the GP by calling them 24 hours in advance. That's right, health insurance did not have to cover ANY trips to the ER and related illnesses or injuries treated there. Another example is long-term care insurance before it became specially regulated. People would have LTC, suffer some incident that required their kids to put them in a home. However, LTC would only cover being put in a home if you gave them 30 days notice, got a note from one of their pre-approved doctors saying you needed to go in one and did both of those before actually signing on the dotted line on the residence.

  I don't mind taking a bet and losing at a casino because everyone knows the rules and they are fair; but to many people, insurance is like going to the casino, hitting 7-7-7 on the slot machine at noon and then having the casino tell you that you still lost because the small print on a sign in the back says you can only win during odd hours.

Re:Really? That's a question? (1)

hedwards (940851) | about a year ago | (#44470819)

He should have read the fine print. Also, I find this highly improbable. My insurance has a similar clause in it for when I go to a different hospital that they don't have a contract with. They still have to pay, it's just that I have to get authorization and I might have to be moved to a different hospital. I'd have contacted the insurance commissioner, because that doesn't sound legal.

As for the casino analogy, that's a stretch. Insurance is there to put you back where you would have been had you not resulted the misfortune. It's not to make people rich. What's more, casinos have rules and they're generally available, a casino has to post the pay schedule for those machines and stick to it, provided there's nothing wrong with the machine.

Re:Really? That's a question? (0)

Anonymous Coward | about a year ago | (#44471465)

Nope. It was purely that all visits to the hospital (amoungst other things) without notice were completely not covered. Instead of calling the Insurance Division, we called a reporter at the local paper. The insurance company cut us a check after he started snooping around and calling them, the ID, the hospital, the department of health and putting together a compelling piece. The sad part is that was a perfectly legal contingency and we only got the money so they could get good publicity.

But the point remains, I point out where insurance was unfair and your response (along with the industry's) of "read the fine print." Big business with their teams of lawyers with no time pressure vs an 18-year-old with no high school degree (let alone college), who, at the time you want to recall the fine print and meet whatever convoluted contingency, is bleeding profusely. I wonder which the general populace will see as the bad guy and is getting the short end.

The simple fact remains that most insurance regulation is to make it cover what you think it would cover (like LTC covering care, auto insurance covering accidents and health insurance covering health problems), rather than having the company weasel out with small print that no one can understand, let alone reasonably fulfill.

Re:Really? That's a question? (0)

Anonymous Coward | about a year ago | (#44474251)

Nope, insurance companies are scam artists. Take contents insurance, for example: we were told (but didn't get it writing, unfortunately) that when valuing our possessions for contents insurance any carpets, curtains, furniture, etc. over ten years old were to be disregarded (that they were valueless). Then when we were burgled the insurance assessor included all of those items in his assessment with the result being that we were declared under-insured and the company paid out only 33% of our claim. Fuck you, insurance companies!

Re:Really? That's a question? (1)

hairyfeet (841228) | about a year ago | (#44475497)

And I'll tell you like I tell the insurance scammer, "Stick that fine print up your ass" because if you need a fucking lawyer because you've made it such a damned legal nightmare? Then screw you, your business should be banned by the government for being a scam.

And the sad part is YOU KNOW its a scam, don't try to tell me you don't, because if it wasn't a fucking scam you wouldn't need 40 pages of fine print to hide all the fucking gotchas in! You'd just make a simple easy to read contract and be done with it, but noooo, you have to put an assload of fine print so people THINK they are getting one thing and in reality getting another, to me that is a textbook definition of a scam and the contracts and insurance weasels can all be thrown in a fire, make the world a better place.

Re:Really? That's a question? (4, Insightful)

graphius (907855) | about a year ago | (#44469869)

I am not a fan of insurance in general. In essence, you are betting against yourself. For the case of this article, why don't you take the money you pay in insurance premiums and invest it in securing your systems... Seems like a better bet to me.

Re: Really? That's a question? (1)

iivel (918436) | about a year ago | (#44470063)

Law of diminishing returns. There are a few good journal papers looking at the optimum investments into IS from game theoric and other modeled approaches In short: at some point the economic investment of continued improvement is offset by the likelihood of that vulnerability being exploited. At that point if the risk is still above an acceptable level your only real option is transference.

Re:Really? That's a question? (1)

bill_mcgonigle (4333) | about a year ago | (#44470093)

The point of insurance is to cover potential expenses that you cannot cover yourself by joining a risk sharing pool.

If somebody at WalMart offers to sell you a $20 insurance policy on a $100 bike, then you're a fool to take it because you can cover the $100 yourself.

If you can't cover the cost of rebuilding your $200,000 house out-of-pocket, then you better have fire insurance on it.

Those things aside, insurance creates an incentive to do good things. If you have smoke detectors and fire extinguishers in your house, then you get a discount. If you have a sprinkler system you get a much bigger discount, but most people don't have the means to add a sprinkler system and they carry other risks, so that's less common.

But in the case of 'cyber insurance' a good insurance company would look to see that machines are patched, that good security practices are followed, and probably would do an outside scan once in a while to verify their risk. That's the kind of system that leads to better behaviors across the board.

If the insurance companies are corrupt, then we have a separate reputation-monitoring problem (I believe we do).

Re:Really? That's a question? (2)

graphius (907855) | about a year ago | (#44470329)

so in other words, insurance motivates you to do things you should do anyway. And for the privilege of this knowledge you get to pay them less. The other alternative is to do these things anyway.... Yes I know that, in theory, insurance can be a way to balance risk over a wider group. However, much modern insurance is a money grabbing scam. Most people are way over insured, and pay more in premiums that the realistic risk.

Re:Really? That's a question? (1)

hedwards (940851) | about a year ago | (#44470591)

No system is 100% secure or safe, insurance takes a fee to pay for the repairs or lawsuits if something that you can't prevent happens. For instance, auto insurance often times covers uninsured motorists that crash into you due to their negligence. Sure, you can sue them, but a person like that might not have sufficient assets to pay reparations for the damage. And if they die, the estate may not have sufficient cash to pay off any claims. In terms of crackers, even if you do manage to catch them, how many of these people have the millions of dollars that would be required to fix the damage they've caused?

I disagree with the notion that most people are over insured. How much insurance you should have really depends upon how the specifics of your situation. Only a third of renters have renter's insurance and few people seem to have flood or earthquake insurance, even in areas where that's relevant.

Bottom line is that unless you've got sufficient cash or easily ligidated assets, to cover the damages, then you're going to need insurance. But, more than that, insurance companies provide things like access to attorneys when they come up. For instance, around here auto insurance companies are legally required to put up a vigorous defense if you're sued while on the road.

Re:Really? That's a question? (1)

graphius (907855) | about a year ago | (#44470751)

I think you and I disagree on a fundamental point.
You feel that disasters happen, and that you should be prepared (by having insurance)
I feel that disasters are rare. Most (not all) disasters are also avoidable IMNSHO.

As an example, my car has been broken into twice in the last 15 years. (my car is very easily broken into...) On the first occasion, they got a laptop and some other stuff, on the second occasion they got about $5.00 in parking change. Let's say the two thieves got away with $1000 in goods and $500 in damage (I am probably being generous...). So $1500 in 15 years, or $100 per year. I pay way more than that in insurance. Oh, and insurance did not cover any of the expenses. I could have fought it, but the deductible was $200, and my rates would have gone up. How is this a good idea for me again?

Re:Really? That's a question? (1)

hedwards (940851) | about a year ago | (#44476281)

Right, and you don't understand insurance. And you also don't understand basic statistics. It doesn't really matter if it's a 1 in a million risk if ultimately it does happen and you lose your house over it. That's where insurance comes in handy. The insurers have actuaries that estimate the likelihood of the event happening and the price tag if it does happen. And they're surprisingly good. They might not know exactly what your risks are, but they're pretty good.

Insurance isn't really there for things you can easily save for. It's for times like when your house burns down or when somebody steals your car. Of course, claiming on something that's barely over the deductible is going to cost more than what it's worth. But, what about the other things that they cover, like liability if you cause a crash or if your parking brake fails and your care rolls off and kills somebody?

It's up to you whether or not you want to have insurance, but part of being a responsible member of society is having the ability to pay for any damages that you cause in some fashion. For most people, insurance is the most realistic way of doing so.

Then again, you're one of those assholes that thinks that nothing bad ever happens if you're careful. I Hope you never cause any damages to anybody other than yourself.

Re:Really? That's a question? (1)

Rockoon (1252108) | about a year ago | (#44470907)

The point of insurance is to cover potential expenses that you cannot cover yourself by joining a risk sharing pool.

Tell that to health insurance in America.

The kind of insurance that you are talking about (classic catastrophic coverage) isnt enough to avoid new federal fines for not being insured enough. You must "share the risk" of things like yearly checkups, too.

Re:Really? That's a question? (1)

fuzzyfuzzyfungus (1223518) | about a year ago | (#44470429)

That is in effect the essential idea of insurance. Its a wager. Clearly it only works if more money gets taken from "losers" than gets paid to "winners."

If it were merely that, insurance companies would be a nearly honest business, like bookies or casinos...

The trouble is not so much that, for insurance to be something worth offering, the sum paid in (by all subscribers) must be greater than the sum paid out (to parties who end up making claims); but that insurers are...talented and creative... when it comes to reducing both the number of eligible claimants and the size of eligible claims. At least in ordinary gambling, the rules of the game are generally fixed and relatively simple.

In this case, the assignment of 'damages' numbers to intrusion incidents is so absurdly vague that there is absolutely no way in hell I'd dare go up against an insurance outfit. Sure, when it comes time for some prosecutin', you hear that "it cost eleventy-zillion dollars when Anonymous defaced Sony"; but your insurer won't be using DEA math when it comes time to pay up.

Re:Really? That's a question? (1)

LordLucless (582312) | about a year ago | (#44473485)

Not really. People who treat insurance that way don't understand insurance. The point of insurance isn't to win some sort of lottery. On average, you will pay more for your insurance premium than you will for your claims. What insurance does is let you take an existing, expensive risk, and ameliorate it over time.

Take home insurance. Say your home and contents is worth $100,000. The existing risk is that if your house burns down, you're up for a $100,000 bill to replace everything. Say the premiums for your home insurance are $110,000 over your lifetime. Bad deal, right? You'll lose $10,00 dollars. You might as well self-insure - put what you would pay in premiums aside, and use them to fund reconstruction if the worst happens. Except that the fire could happen in the first year of your insurance, in which case you've only got $2000 set aside. You're pretty much screwed. Unless you have insurance.

If you expect enough money on-hand to replace the insured item at any given time, and if using it is not going to significantly impact you, you shouldn't get insurance - you're almost always better off self-insuring. That's one of the many reasons those "extended warranty" things on consumer appliances are a massive rip-off. But for high-expense risks (say, hitting someone with your car and being up for their medial bill, or home insurance), unless you're very wealthy, insurance can be a wise decision.

Re:Really? That's a question? (0)

Anonymous Coward | about a year ago | (#44469141)

insurance company that doesn't find a way out? lol

they will fight, and fight dirty (and sometimes illegally), and even spend more in litigation than the claim would be worth, just to avoid paying anything to anyone.

Re:Really? That's a question? (1)

flyneye (84093) | about a year ago | (#44469375)

Just a hunch, but, maybe people should check to see if these "insurance" companies are allowed to operate in their state before getting happy with the checkbook.

Re:Really? That's a question? (0)

Anonymous Coward | about a year ago | (#44469393)

One of my clients is a third party administrator for insurance companies (life and health). They were very careful when picking a cyber insurance policy. With all the personal information they have (insurance, medical, financial, etc) they need to make sure that they are protected just in case.

These policies don't just cover liabilities, they also cover costs of getting back up to speed after a disaster, a major hardware or facilities failure, etc. They aren't the right answer for all companies but they can be a binkie for companies that need that type of assurance.

Re:Really? That's a question? (1)

jellomizer (103300) | about a year ago | (#44469433)

We buy insurance to hedge against a major problem. House on fire, theft, car accident, floods, law suites... For the most part stuff you normally don't want to happen to you. The Insurance company job is to cover you in case of the problem.
Now they can't operate without making money, and they are for profit. So they will try to make sure they will make their money on the whole. They do this by charging a fee for service. Now the cost of the fee per service needs to be high enough to cover your probability that a problem will occur. So say there is a 1 out of a 100 chance that you will suffer a $100 claim. They will need to charge you at least $1, but that is rather unreasonable because the company has its own expenses, people to manage your claims, you account, payroll, building expenses... etc... Also you expect that they want to make a profit of at least 20%. So you will probably be paying $3 for insurance.
Now there is a lot of competition out there. So they are pressured to keep their prices down. Because their prices need to be competitive there isn't much room to be generous. So for your $100 claim. (say your cheap Cell phone got stolen) the insurance company may state because you had your $100 phone for a year its deprecated cost is $50, and they will only give you $50 for it, figuring you can get a used phone off ebay, or take the money and just use it as part of buying a new phone, figuring you would have bought a new phone within the next year.
You as the customer would feel scammed because while your phone may be worth $50, in terms of technology. It had your contacts on it and your favorite ringtone, and perhaps it has some more meaning to you.

In short if you want full coverage you will need to pay more. If you want cheap expect to get corners cut.
That said, going cheap may still be an option, as this accident may never happen, and you would be better off. Also getting the partial claim, plus the money saved on lower rates may make it better. They account for this stuff too.

Now you could in essence get a loan in place of insurance. However the loan price is based on a 100% chance you will get an accident. So for a Home loan you will be paying 100% your mortgage vs paying 15% of your mortgage. Or you can suffer the consequences of not having insurance. I don't pay for extra insurance on my phone myself. If it gets lost or stolen, then I will loose and need to get a new product. But I can deal with it.

Re:Really? That's a question? (0)

Anonymous Coward | about a year ago | (#44471529)

I mostly agree. Paying out isn't always a bad thing for insurance companies, as you alluded to. It can help them retain the customer as well as gain more customers. They calculate carefully and try to plan for these events, if incidents happen according to plan then it has no negative affect on their bottom line.

Also note that insurance companies primary source of revenue is not from selling insurance, it's from investing. So if you buy a plan and then have an incident a week later, probably not good for the insurance company. But if you buy a plan and have an incident 1 year later, that might be what they had planned and they were able to make enough money off your policy that it makes it worthwhile.

Lastly, insurance companies also by re-insurance. This helps cover them in cases of large incidents (e.g. Katrina).

Re:Really? That's a question? (1)

sjames (1099) | about a year ago | (#44478613)

Apparently, to actually be covered you need insurance insurance and insurance insurance insurance.

Snake oil for sure (0)

Anonymous Coward | about a year ago | (#44469033)

But who cares what Sony does with its money?

Negligence will be the keyword (2)

Opportunist (166417) | about a year ago | (#44469041)

When you look at the various data breeches that became public in the more recent past (especially those done as some kind of protest or out of spite, to harm a company in its goodwill) and analyze the attack vector, you cannot help but shake your head in disbelief. The vectors range from SQL injections to exploits in ancient software that should have been patched months, if not years ago. If that isn't the textbook example of negligence, what is?

Still, I'm all FOR insurance. Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk. If you invest in security, your insurance premium would be lower, and we might FINALLY see some CEOs invest in security since now they can see that it's cheaper than paying for the insurance, since they're blind to the fact that it's cheaper than paying for the fallout.

Yes and no ... (1)

golodh (893453) | about a year ago | (#44469345)

Yes, insurance companies are a lot more risk minded than the average company. They also see a lot more 'fail' events than any single ordinary company so they are much more aware of various risks.

So it's reasonable to assume that they will impose more effective and more thorough security standards than companies would otherwise do. Just think about fire hazards. Most companies I know of implement fire prevention measures, install firefighting equipment, and conduct fire drills because they are obligated to do so by law or by their insurance company. Not because they feel any special responsibility towards their employees, their neighbours, or society at large.

The flip side of the coin however is that there is little incentive to go one step further than they are obligated to. In other words: what matters isn't whether there is a risk, but whether it's covered. And besides, insurance companies care only about the *financial* damage, i.e. the amount of the claim. To begin with, they will demand that companies they insure limit the potential damage through contract negotiations, terms of use etc.. That potentially leaves a window open for painful security breaches that nonetheless carry little financial consequences.

I'm not sure how that will play out, but given the history of the past 5-10 years compulsory safety standards do seem needed.

Re:Yes and no ... (1)

lpevey (115393) | about a year ago | (#44472573)

There is a good bit of focus on the financial, but only because that is what buyers of insurance tend to want--protection from financial loss. There are some buyers who are also concerned about reputation damage from crisis situations, and there are insurance policies for that as well. Crisis coverage is generally added as a feature of a Directors & Officers Liability policy rather than a specialized cyber policy. It is a coverage that provides access to specialized PR services.

On the question about real world examples from the OP, there are a number of real world examples available. One place to get them is the AIG Cyber iPad app. I'm sure there are other stats available from other companies, too. The data is out there.

This is a fast-growing area of insurance. It used to be that IT administrators weren't excited about the idea of insurance because they thought it might make it look like they were admitting incompetence, i.e., proactively covering their own ass. But these days, everyone realizes that security is much more complicated than that, and every layer of protection helps.

Re:Negligence will be the keyword (1)

FaxeTheCat (1394763) | about a year ago | (#44469407)

Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk.

Spot on. It seems some people may think that insurance is some magic wand that will miraculously make losses disappear. I bet no insurance company will offer such an insurance without pretty detailed requirements and audits. In the end, those who can get the insurance at a price they are willing to pay may not actually need it...

Re:Negligence will be the keyword (1)

Opportunist (166417) | about a year ago | (#44472265)

I wouldn't mind that. You'll notice that very much the same applies for a lot of other insurances. Fire insurances are notorious to require rather ludicrous standards in some areas where you eventually wonder whether the fire would have been cheaper ... if it could still occur, that is.

Windows == negligence (1)

SgtChaireBourne (457691) | about a year ago | (#44469673)

Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk.

Windows user pay higher premiums [cnet.com] , but at this point it could qualify as willful negligence. Sure the system may have come with Windows but that's no excuse not to clean it off before connecting to the net.

Re: Windows == negligence (1)

iivel (918436) | about a year ago | (#44470717)

Way to pick a 10 year old OS. Current NIST and US-CERT advisories have everyone on a pretty even playing field. Unless we're going to have our office personnel running secure BSD, OS comparison is pointless without discussing overall governance.

Re: Windows == negligence (1)

SgtChaireBourne (457691) | about a year ago | (#44475211)

In addition to security there is also the ease of maintenance that you gain by eliminating windows. But security alone should be enough to force the decision by insurance companies offering 'hacker insurance': Time may go by and the name may change, but it is still the old NT kernel underneath.

The Vista series is as vulnerable as XP [crn.com] . That includes Vista 7 and Vista 8. Every few months you have vulnerabilities that affect the whole zoo [rdot.org] . On top of that you have a thriving ecosystem of malware flame [arstechnica.com] and Conficker. New malware arrives and joins the old which never really goes away. It is the whole system that is weak, not just the pieces. Not even new, unready systems like Haiku-OS have that. The only way to leave it behind is to leave Windows behind.

No, the only real change since more than 10 years ago has been how M$ has been gaming the vulnerability reports and CERT. Even the shills and astroturfers defending M$ are nothing new.

Re:Negligence will be the keyword (1)

Joining Yet Again (2992179) | about a year ago | (#44470417)

Insurers don't price to set best practices for individuals - they price to ensure that every cohort is sufficiently profitable.

For example, it used to be the case in the UK that car insurance for young men was way more expensive than young women. In fact, women made more claims, but what really skewed things was a small proportion of extremely irresponsible young men who were involved in major and expensive incidents, skewing the "cost" of providing policies for the overall group of young men. Since the insurer didn't know if a new policyholder was one of this expensive minority, all men would suffer, but in fact it was likely that any given male policyholder was *less* likely to make a claim than a female of similar age.

Of course, we can't decide our gender, but there are lots of other attributes we can decide which may reduce our risk exposure but which for the whole group increases risk exposure. To use another household example, vets commonly recommend against yearly vaccination boosters for certain diseases - they're at best medically unnecessary and involve an extra stressful trip to a building full of sick animals, and at worst lead to specific complications. But insurers find it easier to set a blanket policy because the risk of over-vaccinating is lower than the risk of under-vaccinating. So insurance tends to encourage a lowest common denominator effect.

tl;dr Insurance doesn't encourage any sort of behaviour - the best sort of insurance is national, e.g. as the British NHS, and for anything else, you just have to see whether your practices fit with their requirements.

medieval insurance (1)

Anonymous Coward | about a year ago | (#44469053)

I have found great benefit in replacing the word "cyber" with the word "medieval" whenever I'm asked to evaluate things like this. It's fairly easy to do with a quick search and replace.

Rethink (1)

b4upoo (166390) | about a year ago | (#44469109)

I would hope that a company that takes reasonable steps to secure data is not liable for leaks. But if the leak is an exploit of software that is not open to study by the public then the creator of the software should bear the expenses involved. Open code should relieve liabilities.

Re:Rethink (2)

murdocj (543661) | about a year ago | (#44469293)

Oh, please. Both open source and proprietary software has exploits. Just who is going to pay when a company uses open source gets hacked? "The community"?

Re:Rethink (0)

Anonymous Coward | about a year ago | (#44469735)

It's up to the company or community of companies using the software to secure it before using..
Problem with proprietary software is that you do not have a chance to do a review of it...

It's easier to protect against problems when you have a chance of knowing about them.. Btw, there are quite a few security companies out there that are actually doing security-work on quite a few open-source projects.

Insurance is socialism (0)

Anonymous Coward | about a year ago | (#44469135)

Others pay for the damages incurred by any claimant

Re:Insurance is socialism (0)

Anonymous Coward | about a year ago | (#44469423)

NO, insurance is the private sector!

Re:Insurance is socialism (0)

Anonymous Coward | about a year ago | (#44470037)

Not when you are REQUIRED to have it by law, dipshit.

Fines? (0)

Anonymous Coward | about a year ago | (#44469137)

"...policies designed to help companies cover costs they incur in the aftermath of data breaches (whether for investigation, remediation, customer notification, regulatory fines or legal settlements)."

In civilised countries, it is unlawful to insure against fines (for obvious reasons). The insurance companies have every right (in fact a duty) to refuse a claim to recover the cost of fines.

Will they try to avoid paying out on the other risks listed? Who knows -- it depends on the policy wording. Even an ordinary individual would be damned stupid to buy an insurance policy without reading the fine print first. If a CIO at a large corporate buys a big ticket insurance policy without first understanding (which will usually include getting legal advice on) exactly what it does & doesn't cover, the company probably deserves to go under anyway for hiring such nongs.

Cybersecurity is hard (2)

iritant (156271) | about a year ago | (#44469143)

And here [infosecon.net] is a great article from researcher Rainer Bohme that explains why it's hard. It's a fairly technical paper, but one big issue is that insurance companies operate on a reserve that assumes catastrophic events are bounded, perhaps by region. That's not the case with correlated cyber-risks. This is explained in Section 3.

Show us the math (3, Interesting)

Dunbal (464142) | about a year ago | (#44469149)

How do these companies arrive at hundreds of million/billion dollars worth of "damages" anyway? Is this using the MPAA/RIAA method of accounting? Do they have to shut down the entire company for a week? Seriously, did absolutely no one make a recent backup of the databases? Do they have to replace all the computer equipment? Are the IT people so expensive? Where does the figure come from?

Re:Show us the math (1)

mysidia (191772) | about a year ago | (#44469251)

How do these companies arrive at hundreds of million/billion dollars worth of "damages" anyway? Is this using the MPAA/RIAA method of accounting?

100 million customers X $0.30 postage per breach notification + $0.01 paper stock per breach notification = $3.1 million

Estimated customer turnover (loss of subscribers due to breach): 5%

Estimated average customer age = 17
Estimated customer lifespan (age at which they would naturally stop using our product) = 100
5% * 100 million * ( $10 / month * 12 months / year * ( 100 - 17 ) ) = $4.9 billion

Estimated IT worker cost = (Hours time spent Recovering from breach) * (Number of IT Workers fixing problem) * (IT Worker cost of employment $ + each IT Worker's real worth to our business above what we pay$ [lost opportunity cost]) / 8760 = ~ 720 * 50 * ( $140,000 + $800,000 ) /8760 = ~ $3.9 million

Re:Show us the math (0)

Anonymous Coward | about a year ago | (#44469813)

And some places does not only add those costs, but the actual costs of the systems that where hacked..

Ie, if a $5000 unused machine is breached and they do a reinstall some claim a loss of ++$5000

Even seem some places that have claimed really big losses due to information-leakage... Ie someone downloaded their source-code so they add the cost of a source-code license to the loss..

Many places do not, but i think there is a big exaggeration for some to be able to deduct the loss from the earnings for the year.

Re:Show us the math (1)

StormReaver (59959) | about a year ago | (#44469563)

Where does the figure come from?

It's the cost of having your obscenely overpriced lawyers shift the blame for managerial incompetence onto some teenager.

Re:Show us the math (1)

onyxruby (118189) | about a year ago | (#44469795)

As someone who's had to do the security audit on a major (make the news) breach I can give some insight. Let's say you got busted a company for hacking their email list so that you could send an angry rant to their CEO. On your way to getting the email list you took a look through their databases and papers just because you could and you were curious. One thing led to another and now your being sent a bill by the judge for 6 or 7 figures and your wondering how the hell they came up with the figure.

The first thing you have to remember is that the people who just got hacked don't have the benefit of knowing the extent to which they have been hacked. There is also the issue that when you opened a vulnerability, that other people - not even working with you - will of then follow you in. It's a bit like breaking open the secure door to a building, someone else you don't even know might decide to walk in behind you.

Cost of staff time to discover the issue (X hours times Y staff cost plus opportunity cost).
Cost of staff time to shut down affected system and perform a cursory audit to find out how intrusion went (X hours times Y staff cost plus opportunity cost).
Cost of staff time and expert time for a full fledged audit if required (X hours times Y staff cost plus opportunity cost).
Opportunity cost is a big deal as this is the cost of your staff being diverted from what they were supposed to be working on in the first place.
Don't forget to include the costs of overtime, dinners that you had to order and that nice gift basket to appease the wife who's husband is now working 16 hours in a row...

Cost of business as systems are shutdown and are not available.
Cost of performing a clean system restore from a known good point.
Cost of performing backup restorations.
Cost of bringing the system back into a certified state.
Cost of tickets with any affected vendors (they almost always charge per incident).

Cost of time to verify and prove /what/ data was stolen and if the data was encrypted. Depending on the type of data you have your results will be handed over to one or more angry Attorney Generals. Don't forget that Attorney Generals mean the company needs it's own attorneys.
Attorneys for companies are much more expensive than for private individuals.
You have a major breach and are going to be sued, don't forget the cost of your forensic backup and recovery expenses if needed.
Cost of time for management to deal with all of these things.

Depending on how severe the breach was you may have shut down some of their business operations while they recovered. This is costing the business money that they otherwise could have been making or in costs from having to hire contractors or loss of business for not performing their normal work. Their partners may get pissed off and end their business relationship with them.

If it is a hack that is or has to be public (notification laws) than you have a situation where you may also require public notification and all related expenses. This is where you get into damage to the public image of the company, the same image that the company might spend millions of dollars on advertising building. If a company loses just 1 percent of their customers following a public hack than you have the lost revenue from that 1 percent, plus the cost of replacing the customer.

Some of these costs are only going to apply for a major incident, however all of these costs are accepted costs that many companies can and will undergo in the event of a notable hack. Certainly off these costs are the types of costs that courts routinely approve of for recover of losses. Even your routine garden vanilla type of hack is going to cost money in terms of staff time, opportunity cost and remediation cost. Incidentally you could also look at this list as the reason that IT security field is growing.

Re:Show us the math (1)

g0rd0 (2995987) | about a year ago | (#44474401)

By this logic ubuntuforums is now worth more than Canonical. Which wouldn't be surprising except their greatest revenue stream is now security breaches.

I'm leaning more towards snake oil (1)

hurwak-feg (2955853) | about a year ago | (#44469161)

I am leaning more towards snake oil, but it might be a good thing. I have often had doubts about the monetary damages claimed in outages/leaks/data theft. Insurance companies providing other types of insurance don't just pay out claims because you said something was valuable, but want some supporting evidence of the value of the claim. Maybe the companies filing claims against their "cyber insurance" policy will have a hard time justifying it, and we will stop seeing exaggerated claims. The reason I say it is probable more likely snake oil is it is pretty hard to put a value on damage to customer trust that can occur when information like credit card numbers is stolen. Does "cyber insurance" cover lost sales?

Ways out for the insurance companies (4, Funny)

fox171171 (1425329) | about a year ago | (#44469201)

Ways out:

- We took the money and ran, your coverage is void.
- You failed to adequately protect your network, your coverage is void.
- You angered nerds, you brought this on yourself, your coverage is void.

Re:Ways out for the insurance companies (0)

Anonymous Coward | about a year ago | (#44469985)

Other ways out:
-Your coverage doesn't apply today due to sun spots.
-While connected to the network your coverage is supended.
-Your policy was terminated yesterday, didn't you get our tweet ?
-Monday's are excluded this week, it's in the fine print

Re:Ways out for the insurance companies (1)

Bob_Who (926234) | about a year ago | (#44470395)

We spent all of your money before the close of the bank day.

So sue us....

At least we kissed your ass and gave you a doughnut.

Re:Ways out for the insurance companies (0)

Anonymous Coward | about a year ago | (#44479929)

This is why insurance agencies need to build a reputation. Paying out hurts short term, but companies are more likely to buy from an agency that is known for paying out.

Naturally, this all takes time to filter through and it is painful in the mean time.

Yes (0)

Anonymous Coward | about a year ago | (#44469209)

Most of the security industry is FUD-flavoured snake oil. People still pay good money to this industry as "insurance".

There are many things we could be doing to actually improve security, from no longer using shoddy software to moving away from a monoculture to thinking of more substantial things to do than have "hatted, ethical hackers"* spray patches all over said shoddy software, and inevitably miss a few spots. But there's never time to do it right the first time, yet always to do it over again, expensively.

So yes to both. It's snake oil, and people still pay for it as "insurance", though eg. the banking industry calls it "due dilligence" instead. In the end, it's all arse covering, and none too effective. But that doesn't stop the spending.

* Who, as a rule, are not hackers, nor ethical, nor possessed of fashion sense.

Unconventional definition of loss? (1)

mysidia (191772) | about a year ago | (#44469211)

many cyber insurance policies cover only the cost of re-creating whatever data may have been lost during the breach — not notification costs, legal costs or other related expenses."

Data loss in a security breach usually and normally refers to the data that was exfiltrated or successfully leaked by an attacker. For example: Data Loss Protection software is designed to detect attempts to send personally identifiable information such as social security numbers over e-mail or upload it out of the company LAN.

As for recreating sabotaged or destroyed data; that is not always possible, but It's supposed to be part of the backups. A good insurer should compensate for the financial loss resulting from the destroyed data, not attempting to pay for what it will take to recreate it.

Assuming its data that could be recreated, by the time its recreated; it may be worthless, because the time requirement allowed a competitor to get ahead and get the patent filings done first.

Simple (0)

Anonymous Coward | about a year ago | (#44469335)

If it has the "cyber" in it, it's a scam, or at best a joke.

Cyber Insurance == Correlated Risk (1)

kye4u (2686257) | about a year ago | (#44469521)

Traditional insurance that include life insurance and fire insurance work on a key premise. This premise is that they can get enough different types of clients that can not only distribute the risk, but also decouple the risk.

Take fire insurance for example. A fire that happens in say Miami, FL is most likely not going to increase the risk of a fire occurring in Seattle, WA. Therefore a fire insurance company can make sure that the clients they select are geographically distributed to distribute the risk AND minimize the risk correlation.

In contrast, Cyber Insurance is somewhat unique from typical insurance because there is an inherent correlated risk that you run into regardless of how and where you choose your clients. Most clients run the same OS (Windows) and use the same software and AV packages. Therefore, a data breach that occurs with one client can mean other clients can be at immediate risk to also have a data breach

So what can happen is that a cyber insurance company can end up needing to pay out more money than they collect because breaches can happen concurrently or consecutively.

Re:Cyber Insurance == Correlated Risk (0)

Anonymous Coward | about a year ago | (#44477465)

The risk is the same it always is. People.

But Don't we really already know the answer? (1)

3seas (184403) | about a year ago | (#44469635)

Anti-virus companies have been found to use scare tactics. And there would have to be such payout conditions that eliminate payouts for faulty IT work that contributed to a breach.

What we make we can break.... And since breaking would be a real easy thing to do...... I believe its called insurance fraud..... But here its a how easy is it to do and get away with? And then there are losses that cannot be recovered, once exposed to the public.

And where are the insurance companies going to get the payout money, ibn teh event of a wide spread breach..... as the NSA leaks suggest.... The NSA is an organization of committing breaches.

Ophidian lipids, no doubt (1)

Rambo Tribble (1273454) | about a year ago | (#44469675)

Private insurance companies are not in business to benefit policyholders, but to enrich shareholders and executives. The companies in jeopardy would be wise to form a cooperative to attend their indemnification needs. Call it open sourced insuring.

Re:Ophidian lipids, no doubt (0)

Anonymous Coward | about a year ago | (#44477361)

That's just plain nonsense. You are talking about protected cell captives which in the current market are about as wise as pouring your money down the toilet. The only people that think they are a good idea is the people you will end up paying 7 figures to run the damn things.

Insurance means nothing in the current environment (1)

haus (129916) | about a year ago | (#44469885)

For starters, the 1.25 Billion estimate of Sony's lost is pure bullshit.

Even the TJX numbers are not likely a realistic representation. If you go back and review their stock price in the time frames which the breach was announced and subsequent news was released, a small hit seemed to occur, but it did not have a long term impact. The sad reality is that their security efforts were a joke, and yes it costs them, but quite likely not more than it would have cost them to have put forth a considerable effort on security in the first place.

Where things could get interesting would be if companies were legally held liable for failures to secure information of others which they opted to hold. Make the cat painful, to the point where the impact could shake even a very strong company. This would force a real discussion in board rooms, is the default behavior of trying to capture everything on everyone really in the best interest of the company? Should we dump info we do not have a use for? Should we limit what we gather in the first place?

If this were the starting point, then insurance could be interesting. Once a company has completed their first level pruning, then insurance could be sought. The insurance company would then insist to know what data you have? Where is this data? Who has access? How is it defended? Then they could set a rate based on the risk and the liability cost faced by stepped up legislation. In most cases this quote would be high, very high, which should be the tip of that a company should then prune more data, reduce access, and improve security, thus hopefully getting the company to a reasonable position that they should have been with at the begging, but have not been because it was not in their financial interest to do so.

all insurance is a scam (0)

Anonymous Coward | about a year ago | (#44470051)

the only reason it exists is because customers have incomplete information about their risk level

well that and insurance companies collude with politicians to make the purchase of their products required by law

security system (1)

SchroedingersCat (583063) | about a year ago | (#44470279)

Most cyber insurance policies require auditable security system in place. They will audit it after the incident and they usually will find reasons not to pay if you have never done external security audit and if CEO thinks that security is IT job.

Part of an Overall Compliance Strategy (1)

jon3k (691256) | about a year ago | (#44470661)

1. Perform Audit
2. Mitigate where possible
3. Insure the rest

Further info (0)

Anonymous Coward | about a year ago | (#44470991)

http://www.klgates.com/files/Publication/ad055263-b16b-4637-8735-049cab81c2a9/Presentation/PublicationAttachment/239ee296-257f-4025-8231-09816fe61efa/Insurance_Coverage_for_Cyber_Attacks_Part_Two.pdf

I will offer them insurance (1)

tompaulco (629533) | about a year ago | (#44473903)

I will gladly offer them insurance for only $1 million dollars a year, policy is null and void if your network is found to be insufficiently secured, as evidenced by a successful intrusion attempt.

READ THE DAMN POLICY! (0)

Anonymous Coward | about a year ago | (#44475109)

I love how otherwise sane and rational people bitch about insurance not covering them when it almost always turns out they never read the expensive policy contract they purchased.

READ THE DAMN POLICY!

Insurance policies are binding contracts to pay. If you policy is illegible or the definitions of words are iffy (and this is a genuine problem with some Cyber cover, where the policy covers everything but the definitions of words are far to restrictive, reducing the cover) then buy a different policy.

Seriously: You lot will carefully review the terms and conditions on iTunes and slag off a dodgy clause ad infinitum but you take insurance policies on FAITH until you need them and then complain that they don't cover what happened to you. ANYTHING can be covered if you shop around. Hell even the Alien Abduction insurance has paid out! TWICE!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>