The High Cost of Hacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.usnews.com/opinion/blogs/world-report/2015/03/06/cyber-insurers-must-do-a-better-job-of-assessing-risk-of-hacks

The latest information from the Target data breach suggests that it
suffered losses of $248 million. Thank goodness they had insurance. Well,
sort of. They were covered for up to $100 million, which means it will only
cost them $148 million. Yikes.

As you may have read elsewhere, cyber insurance is a growing business with
premiums nationwide expected to reach $2 billion this year. These policies
are meant to cover losses stemming from data breaches and other kinds of
security incidents. Sony says it has insurance to cover its most recent
hack, though there isn't much any policy can do to mitigate the
embarrassment from the leaked executive emails.

What cyber insurance can do, however, is help reduce the losses from data
breaches to begin with. Except that it isn’t. Let me state upfront that I
am a strong proponent of cyber insurance. Insurance companies and the
companies that offer them can play a critical role in informing
corporations about effective security controls, monitoring the use of those
controls, and therefore help reduce the probability and magnitude of data
breaches and other security incidents. I emphasize the words "can play"
because all indications suggest that insurance companies are squandering
this amazing opportunity. Let me explain.

First, aside from the typical contractual details of the actual policy
(defining coverage, triggers, exclusions, endorsements, etc.) firms seeking
cyber insurance are presented with a security questionnaire. This
questionnaire can run from just a few pages to more than 10, and it queries
the firm on the various forms of information technology governance policies
as well as technical security controls that the firm employs. For instance,
the questionnaires ask about the number of full-time IT security staff that
are employed, how many of them possess information security certifications,
the number of consumer records kept (which may contain financial, health or
other personal information) and the use of encryption by the company for
storage and transmission of data, to give just a few examples. This is a
familiar practice in the insurance industry. When you apply for car
insurance, for example, the insurance company will identify whether your
car is equipped with anti-lock brakes, a security system and special
traction control devices. When you apply for health insurance, you are
asked about your medical history and current health behaviors such as your
frequency of smoking and drinking. It's a common and perfectly reasonable
process.

While this sounds good, there are a couple of major problems with these
security questionnaires. It is unclear how an insurer should interpret the
responses. While most people would agree that having a firewall or proper
network access control is better than not having a firewall and no access
control, it is unclear how an underwriter would interpret and
operationalize the answers to these questions. Exactly what reduction in
premium should an insured enjoy for employing two-factor authentication or
implementing a vulnerability management program? As someone with over a
decade of experience as an information security professional, even I would
find this difficult. Further, in conversations with carriers and brokers,
it doesn't seem that these questionnaires are used for anything other than
a rudimentary examination of basic controls – if even that.

Another problem with the questionnaire is that even if it was useful at the
time of the policy adoption, cyberthreats and defense capabilities change,
and therefore IT systems and software applications require updating,
patching and reconfiguring, as well as monitoring by a third party. Without
a reoccurring process for evaluating the status of a company's security
controls, what incentive is there for it to remain diligent against new
threats given that they already have cyber insurance coverage? Yes, a
company would prefer not to appear in a news story of breached firms and
avoid the costs of breach notification and potential third-party
litigation. But if the firm has insurance to cover these losses, its only
loss is the cost of the deductible. To be clear, the reduced incentives
driven by being fully insured are not new. This is simply a moral hazard,
and it exists with any insurance industry any time imperfect information is
shared between parties.

The second reason that insurance carriers are missing a great opportunity
is that, based on conversations with underwriters, they don’t appear to be
using their own claims data in order to better assess the risk of a company
suffering a data breach and filing a claim. It would be a shame if this
were the case because there are so many great questions that could be
answered with these data. Having many observations makes proper statistical
inferences possible, but even fewer observations still enables basic
analysis. And yet it doesn’t appear to be happening.

So why is that? Some suggest that there simply aren't enough data available
for even basic analysis. If that’s true, it would be a very good
explanation – you can’t work with what you don’t have. But it would also
imply that firms are buying policies, suffering breaches and not filing
claims. This would suggest that cyber insurance is a very profitable
business.

Another possibility is that the analysis is indeed being done, but no
strong correlations are being found. That is, despite all the data
available – security and otherwise – there are no strong indicators
emerging as to what is more likely to predict (and therefore prevent) a
data breach. If breaches are, indeed, random events, then this might make
sense. Breached firms would simply be the victims of bad luck. But if they
aren’t merely random events, then we need to look more closely and identify
those factors which best protect against hackers.

The point of this article is not to expose the cyber insurance industry as
behaving badly, but to invite it to step up and use the beautiful data it
has to help shape and improve the security posture of its clients. Everyone
will benefit. Corporations will learn to identify which security controls
really matter in preventing and reducing breaches; consumers will suffer
fewer losses from breaches; insurance carriers will continue to profit when
their insureds invest in the right controls; and, policymakers will see
industries overall become more secure. This is one situation where common
sense makes good business sense. My fear is that unless they act, the only
ones who will profit will be the hackers and the insurance companies.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!