cyber insurance cs5493(7493). aka e-commerce insurance e-business insurance information system...
TRANSCRIPT
AKA
E-commerce insurance E-business insurance Information system insurance Network intrusion insurance
Brave New World
New field of insurance, policies begin appearing at the beginning of the 21st century.
Traditional Policies
Traditional insurance policies do handle tangible loss and damage claims due to Fire
Traditional Policies
Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood
Traditional Policies
Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood Theft
Traditional Policies
Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood Theft Other natural disasters.
Traditional Policies
Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood Theft Other natural disasters Liability claims.
Traditional Policies
Traditional policies would not cover financial losses related to lost data. Data losses are not covered for DoS or mal-ware
attacks.
Traditional Policies: Data Loss Claims
For that distinction you can thank American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc., a U.S. District Court ruling in Arizona in 2000. The court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee.
"After that, the insurance firms changed their policies to state that data is not considered tangible property,“ (Kalinich)
The upshot is that an enterprise needs special cyber insurance to cover data-related issues.
Legal Precedence
• High profile cases against the insurer will cause all insurers to change their policy offerings.
Cyber-Insurance
The gap left by traditional policies created a market for cyber-insurance.
Example: traditional policies do not cover: Data loss from malware (AGLI vs Ingram Micro) Revenue loss from DoS attacks Contacting individuals who have had their private
information hacked. Re-issuing compromised credit-card info. Etc.
Cyber Insurance Challenges
• Insurance market inefficiencies
• Asymmetric information
• Mono-cultures
Cyber Insurance Challenges
• Insurance market inefficiencies
• Asymmetric information
• Mono-cultures
• Moral hazard
Cyber Insurance Inefficiencies
New field of insurance, policies begin appearing at the beginning of the 21st century.
Not much data for actuaries to determine the risks
Cyber Insurance Inefficiencies
New field of insurance, policies begin appearing at the beginning of the 21st century.
Not much data for actuaries to determine the risks Prices of policies vary greatly from one product
offering to the next.
Cyber Insurance Inefficiencies
New field of insurance, policies begin appearing at the beginning of the 21st century.
Not much data for actuaries to determine the risks Prices of policies vary greatly from one product
offering to the next. Insurance regulators have little guidance for
monitoring cyber-insurance policies.
Cyber Insurance Inefficiencies
Insurers face a small market for reinsurance available for cyber-policies
Claims
Signs of an immature product offering: Early claims made under cyber-polices were
contentious (ended up in court) Court disputes were not consistent due to lack of
precedence.
Lack of Standards
• There are no standard products, insurers are creating polices on a case-by-case basis.
• There are no standard products for insurance regulators to examine
Asymmetric Information
• If a firm purchases a $25-million dollar policy, they must have a good reason to do so. (is it in the best interest for the insurer to offer such a policy?)
Mono-culture Risk
An insurance company must have a diverse base to reduce the possibility of being overwhelmed by a single event generating too many claims.
Mono-Culture Risk
• The interdependency and correlation of risk to insurers impose a high probability of excessive losses.
• Insurers need a diverse and large policyholder base.
Cyber Insurance Mono-Cultures
The IT industry carries the risk of installed system mono-cultures: Millions of systems run MS Windows and all could
be vulnerable to the same attack.
Cyber Insurance Mono-Cultures
The IT industry carries the risk of installed system mono-cultures: Millions of systems run MS Windows and all could
be vulnerable to the same attack. Some attacks carry a high probability of excessive
payouts by the insurers.
Moral Hazard
Under full insurance, the insured has little incentive to undertake precautionary measures because losses are compensated.
Moral Hazard
Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost
Moral Hazard
Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured
Moral Hazard
Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured Fraudulent claims and criminal behavior of the
insured are not covered.
Moral Hazard
Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured Fraudulent claims and criminal behavior of the
insured are not covered. Policyholder must meet a standard of care
Moral Hazard
Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured Fraudulent claims and criminal behavior of the
insured are not covered. Policyholder must meet a standard of care Contracts must be renewed annually, the insurer
can terminate the relationship
Standard of Care Requirements
• The insurers are making standard of care requirements mandatory for cyber-insurance coverage.
Standard of Care Requirements
• Data backup and procedures
• Data backup storage
• Network Firewalls
Standard of Care Requirements
• Data backup and procedures
• Data backup storage
• Network Firewalls
• Security software – (i.e. anti-malware)
Standard of Care Requirements
• Data backup and procedures
• Data backup storage
• Network Firewalls
• Security software – (i.e. anti-malware)
• Well defined security plan
Standard of Care Requirements
• Data backup and procedures
• Data backup storage
• Network Firewalls
• Security software – (i.e. anti-malware)
• Well defined security plan
• Password management
Standard of Care Requirements
• Data backup and procedures
• Data backup storage
• Network Firewalls
• Security software – (i.e. anti-malware)
• Well defined security plan
• Password management
• Employee security awareness training
Standard of Care Requirements
• Data backup and procedures
• Data backup storage
• Network Firewalls
• Security software – (i.e. anti-malware)
• Well defined security plan
• Password management
• Employee security awareness training
• Software updates/patches
Standard of Care Requirements
• Standard configurations
• Encryption
• Vulnerability monitoring
• Physical security controls
Standard of Care Requirements
• Standard configurations
• Encryption
• Vulnerability monitoring
• Physical security controls
• Remote access controls
Standard of Care Requirements
• Standard configurations
• Encryption
• Vulnerability monitoring
• Physical security controls
• Remote access controls
• Privacy and confidentiality policies
Standard of Care Requirements
• Standard configurations
• Encryption
• Vulnerability monitoring
• Physical security controls
• Remote access controls
• Privacy and confidentiality policies
• Business continuity (disaster) plan
Standard of Care Requirements
• Standard configurations
• Encryption
• Vulnerability monitoring
• Physical security controls
• Remote access controls
• Privacy and confidentiality policies
• Business continuity (disaster) plan
• Testing of security controls
Standard of Care Requirements
•The insurers are providing cyber risk-management services to help clients identify vulnerabilities.
Cyber Insurance Providers
• AIG
• Zurich North America
• Saint Paul Companies
• Liberty Mutual
• Lloyds of London
• Chubb Group
• INSUREtrust
Policy Premiums
• Policy premiums are based on a wide number of factors:
• Size of company
• Amount of data to protect
Policy Premiums
• Policy premiums are based on a wide number of factors:
• Size of company
• Amount of data to protect
• Past losses and previous claims
Policy Premiums
• Policy premiums are based on a wide number of factors:
• Size of company
• Amount of data to protect
• Past losses and previous claims
• Number of individuals having privileged access
Policy Premiums
• Policy premiums are based on a wide number of factors:
• Size of company
• Amount of data to protect
• Past losses and previous claims
• Number of individuals having privileged access
• standard of care enforcement
Policy Premiums
• AIG
• Small company can spend as little as $1000/year for up to $100K coverage.
• More comprehensive coverage can be purchased for $50,000/year.
Coverage (Chubb Group)
• Data Breach Coverage includes cost of
• Notifying victims (mandated by law in many instances)
Coverage (Chubb Group)
• Data Breach Coverage includes cost of
• Notifying victims
• Call center support for the incident
Coverage (Chubb Group)
• Data Breach Coverage includes cost of
• Notifying victims
• Call center support for the incident
• Credit monitoring for victims
Coverage (Chubb Group)
• Data Breach Coverage includes cost of
• Notifying victims
• Call center support for the incident
• Credit monitoring for victims
• Credit restoration services for victims
Coverage (Chubb Group)
• Data Breach Coverage includes cost of
• Notifying victims
• Call center support for the incident
• Credit monitoring for victims
• Credit restoration services for victims
• Crisis management services
Coverage (Chubb Group)
• Data Breach Coverage includes cost of
• Notifying victims
• Call center support for the incident
• Credit monitoring for victims
• Credit restoration services for victims
• Crisis management services
• Replacement of effected equipment.
Coverage (Chubb Group)
• Data Breach Coverage includes cost of
• Notifying victims
• Call center support for the incident
• Credit monitoring for victims
• Credit restoration services for victims
• Crisis management services
• Replacement of effected equipment.
• Data recovery costs
Coverage (INSUREtrust)
• Regulatory & Civil Action Coverage
• Fines from private and government regulatory agencies (under HIPPA, SOX, …)
Coverage (INSUREtrust)
• Regulatory & Civil Action Coverage
• Fines from private and government regulatory agencies (under HIPPA, SOX, …)
• Civil class-action and individual lawsuitsStudy liability insurance from other held policies to
insure you are not paying for double coverage, insurance companies will not double cover on a claim.
Coverage (Chubb)
• Cyber extortion coverage
• For cases where a hacker steals data from the policy holder and then tries to sell it back, or someone plants a logic bomb in the policy holder's system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the expense of offering a reward leading to the arrest of the perpetrator
Coverage
• Virus liability:
• Pays in cases where the policy holder is sued by someone who claims to have gotten a virus from the policy holder's system
Total Cyber Policy Coverage
Insurance provider Willis NA, estimates about $750 million dollars in total polices worldwide (P. Foster, Dec 2011)
Cyber insurance coverage increased to above estimated $1.2 Billion in 2013. (total insurance market place is $1.1 Trillion, Insurance Information Institute)
A 20% increase over 2011 (Marsh&McLennan)
A 33% increase over 2012. (ibid)
Coverage Growth Cause
• Regulatory requirements that customers be notified when their data is compromised.
Example of Cyber Insurance
• The Target Stores security breach resulted in $61 million dollars in expenses (Reuters, 2014).
• A cyber insurance policy covered $44million of those expenses. This resulted in a net loss of $17 million for Target.
Regulation vs Insurance
• Regulation has punitive measures for non-compliance: fines and incarceration
• Insurance is used to transfer risks, there are no fines or incarceration, only the threat of monetary loss, reputation, etc.
Regulation vs Insurance
• What if government agencies and contractors were required to purchase cyber insurance rather than using punitive measures?
• What if the government provided a temporary reinsurance market to help the overall marketplace grow?
• There would be resistance to such suggestions (Whitehouse paper 2005).