Sophos Cloud Optix
A blog post by one of US President Obama’s top cybersecurity advisers has sparked a debate on the importance of insurance in mitigating the threat posed by digital dangers to the world’s businesses and government agencies.
The insurance world is a massive moneyspinner, with global premiums of over $4.6 trillion paid out last year.
Insurers are always on the lookout for new dangers to insure us against, and it seems like cybercrime, hacking and compromises of business networks are considered a booming sector, ripe for expansion and exploitation.
Michael Daniel, a special assistant to Obama and cybersecurity coordinator, posted to a Whitehouse.gov blog earlier this week discussing the Cybersecurity Framework being put together by the US government.
The aim of the Framework is to encourage and enable companies, especially those providing critical infrastructure services in the US, to ensure they keep their computers and networks safe from compromise and infiltration.
With input from various teams working on the framework, including Homeland Security and the Treasury and Commerce Departments, the article suggests a list of eight methods to help encourage firms to adopt the proposed framework.
Several of these measures revolve around simplified regulation, tax breaks, government grants, research support, and preferential contracts.
But top of the list is the suggestion that the insurance industry should be encouraged to get involved:
Agencies suggested that the insurance industry be engaged when developing the standards, procedures, and other measures that comprise the Framework and the Program.
The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.
The cybersecurity insurance market is relatively new and undeveloped, according to a study last year from consulants Cap Gemini. Although we started seeing insurance against infection thrown in with some AV products several years ago, this was little more than a gimmick and never really took off.
The involvement of the big insurance players, covering big companies against potentially massive losses, is steadily transforming it into a major business though. It’s already raking in an estimated $1.3 billion per year in the US, with the rest of the world lagging some way behind.
Firms in Europe are slowly starting to expand into the field though, more than a year after the EU debated making cyber-insurance mandatory in some fields.
In Australia the market has been described as “promising to be a new boomlet“, with insurance experts sharing tips with each other on how to promote their new products:
What is cyber crime really costing Australia and the rest of the world? Use these jaw-dropping stats if your clients need convincing of the need for cover against cyber crime.
So, assuming you’re not an insurance salesman and haven’t invested heavily in insurance company stocks, how will this benefit you?
First of all, there should be a major improvement in the stats. Analysis of the size of the cybercrime threat, the numbers of people it effects and the amounts of money involved tends to be rather hazy. It’s a shadowy business of course, and pinning down its exact scope is complex and difficult.
Insurers love stats though. They need lots of data to calculate the odds on which to base their premiums.
If you want to insure yourself against getting your beard snagged in the wing mirror of a passing bus, you probably can, because they have detailed tables of historical data on how often that sort of thing happens, going back years (your premium will probably depend on the length and luxuriousness of the beard, and how often you hang out on bus routes).
For cybercrime though, the stats are few on the ground, with little history and not much verification.
We routinely see studies and reports trying to put figures to various things, such as how many firms have been hit by cyber attacks, the amount lost to cybercrime each year (135,000 Euros per incident in Ireland, apparently, but $5.4 million in the US), or how those who should be measuring this stuff are simply giving the whole thing up as a lost cause.
Attempts to reckon up the cost of all cybercrime at national or global levels tend to be fairly vague, hyperbole-ridden and even contradictory of previous guesses, with methodologies often sloppy and open to criticism.
So, as money starts to flood into the insurance firms, hopefully some of it will trickle back out into funding more comprehensive and scientific research into measuring the scale and impact of the threat.
The more we know about the size of the danger, and the more detail we have about what’s hitting who, where, and how hard, the easier it should be to target efforts to combat it.
There should also be more work done by businesses estimating their own risks from cybercrime, reckoned by some to be the biggest threat the world’s businesses and governments face. The process of risk appraisal should give them some ideas of what needs to be done to cover the holes.
Secondly, there should be financial pressure on businesses to improve their defences. Just as house insurance is cheaper if you have an alarm system and high-quality locks, so your cyber insurance premiums will go down if you can prove you have top-notch security processes and technologies protecting your networks and data.
In the long term, that should benefit everyone, as companies will be encouraged to invest in security so they can save money on insurance. Breaches and data leaks will go down, our data will be kept out of the hands of the bad guys, and we’ll be able to carry on our digital lives in blissful safety and privacy.
That’s the theory at least. It could be, of course, that some firms will start slacking on the security front, feeling they don’t need to bother too much as they’ll be covered financially if there’s a problem.
This would mean more hassle for us, as our data is left lying around on under-protected servers for anyone and everyone to harvest and exploit.
Whatever happens, it seems clear that as long as they can keep their premiums bigger than their payouts (a pretty safe bet), the one big winner will be the insurance firms.
Image of insurance button and cybercrime courtesy of Shutterstock.
Another layer of required insurance is apparently on the horizon. I wondered if our current US administration was working for insurance companies when the insurance reform act was proposed. This article is adding affirmation to those thoughts. I kind of wish security experts were involved in the creation of the 'rules' for this new industry just as I wish doctors were involved in the rules for health insurance, but I'm not very optimistic based on our track records. I think lawyers and investors will remain in charge.
I have been in the cyber insurance business for years (since 2002), and I can tell you that government announcements/proclamations about insuring cyber risk have been happening since then (if not before). This is not really news. The fact of the matter is that the cyber insurance market has grown quite rapidly over the last few years, and there is meaningful coverage available at all segments of the market currently (SMB, enterprise, brick and mortar companies, tech companies, etc.). In fact, this insurance is becoming a standard purchase (I am even seeing actions taken against brokers that fail to recommend cyber insurance). As far as meaningful data coming out of this to the public at large, don't count on it. That data, and how it is being crunched, is very proprietary to each carrier.
I think insurance firms are the best struggling companies all over all the world. They suffer most economic crisis in the world.