Making Sense Of Cyber Insurance
The Dark Web, a sequence of huge Data Breaches, Ransomware, Virtual Currency. How do insurers and their customers make sense of Cybersecurity?
Insurance is an old UK business. One of the earliest recorded instances of property insurance was in 1681, just after the Great Fire had torn London apart.The conflagration had laid the nation's capital low and left only the remains St Paul's Cathedral, the Custom House, 44 company halls, 87 parish churches and the smoking embers of 13,000 homes.
It was economist Nicholas Barbon, together with eleven of his associates, who established the first fire insurance company, the "Insurance Office for Houses", at the back of the Royal Exchange in London to insure ‘brick and frame homes'. But that wasn't the beginning. Not even close.
According to Emmett J Vaughan's 1997 book titled Risk Management, methods of transferring or distributing risk were practiced by Chinese and Babylonian traders as long ago as the 3rd and 2nd millennia BC.
It's that rich history which was given insurance a bounty of actuarial data, the statistics used to calculate the risks that people and companies are insured against, to rely on when evaluating an insurance policy.
Mega-Breaches of the Dark Web
As the world has become so reliant on digital means of communication, and businesses are embracing transformative technology to bring about change, so has the risk has arisen of a company's information systems being breached. We now live in a world of self-described Mega-Breaches, which see the credentials of millions of users pouring onto the Dark Web.
So it should come as no surprise that the need has arisen to insure against the risk of this happening. You can currently buy Cyber Liability Insurance Cover (CLIC), which has been available for around 10 years.
However, where CLIC is used to insure against the fallout from having to notify the authorities of a data breach, which is currently the law in the US, and the direct costs of remediation, it doesn't insure against consequential loss - the loss of IP, company data, customers, reputation, fall in share price etc.
United States Data Breach
The United States currently has laws where 46 of the 50 states have mandatory requirements for data breach notification. In the UK, the impending EU General Data Protection Regulation (GDPR) also includes mandatory notification of breaches.
Mandatory data breach notification regulations are claimed to be a driver for CLIC as the costs of notifying affected users of a breach can be extremely high. And as the expense of dealing with a breach gets higher – and the cost of dealing with mandatory notification is added, the option of using CLIC will become more attractive for many businesses who will view it as a mandatory tool for dealing with business risk.
At the moment, CLIC can cover costs relating to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.
It can cover third-party damages, where these might include specific defacement of a website and intellectual property rights infringement. And would even cover losses due to a threat of extortion, and professional/legal fees related to dealing with the extortion. And the same goes for costs related to data lost by third-party suppliers and costs related to the theft of data on third-party systems.
Simultaneously, some companies are attempting to provide a ‘guarantee scheme' of sorts, which promises to pay a specified amount of money should their product fail and a data breach was to occur. One such company is SentinelOne.
SentinelOne's cyber-threat protection guarantee programme provides its customers with financial support of US$1,000 (£820) per endpoint, or up to US$ 1 million (£820,000) per company, securing them against the financial implications of a ransomware attack, if the company indeed suffers an attack and SentinelOne is unable to block or remediate the effects.
Ransomware
It is no secret that ransomware as a lucrative attack method rises exponentially, ransomware victims paid out US$ 209 million (£171 million) in Q1 2016, compared to US $24m (£91.7 million) for all of 2015, equipping organisations with the ability to eradicate this highly disruptive threat is a key.
“I've long rallied hard about the ineffective antivirus products currently on the market, which cost companies billions of dollars annually but ultimately fail to keep them secure,” said Jeremiah Grossman, chief of security strategy for SentinelOne.
“The security industry is undergoing a credibility crisis, with security vendors launching product after product without specific validation of their effectiveness. But we're headed for a major shift where security vendors will be required, not only by customers but by lawyers and insurers, to put their money where their mouth is.”
And unfortunately, this is where the remit of CLIC and vendor-specific guarantees stop and where the real issues with cyber-insurance are highlighted.
Despite the phrase “you've been hacked, and if you say you haven't, you just don't know about it”, often being branded as a way of inciting Fear Uncertainty and Doubt (FUD) amongst businesses by the cyber-security industry - it points out a certain flaw in how risk is calculated.
If an insurance firm were to instantly assume that every company was breached, and just didn't know about it yet, presumably cyber-security insurance would be so expensive that no one would ever buy it. Let alone underwrite it.
Then you have to consider that while many companies have critical assets, or as the industry likes to call them “Crown Jewels”, currently, many c-level's struggle to put a price tag on them.
Charles White, CEO of Information Risk Management (IRM), a software and consulting firm told SCMagazineUK.com at a roundtable at the House of Commons in June 2016 that, “most companies we speak to don't quite know what their crown jewels are, or what they are worth.”
White said that in order to put this issue into context, he would often have to show what stolen data is being sold for on dark web marketplaces.
McAfee Labs published a report titled The Hidden Data Economy in late 2015, which provided several interesting insights into the economics that govern stolen data on the dark web.
The average estimated price for stolen credit and debit cards: US$ 5 to US$30 (£4 to £26) in the United States; US$ 20 to US$ 35 (£16 to £29) in the United Kingdom; US$ 20 to US$ 40 (£16 to £33) in Canada; US$ 21 to US $40 (£17 to £33) in Australia; and US$ 25 to US$ 45 (£20 to £37) in the European Union.
Interestingly, Raj Samani, EMEA CTO for Intel Security recently said that there is a move away from credit card data by criminals, into medical records which aren't considered perishable. You can't just get a new medical record. These are now popular as they can be used for blackmailing and harassing individuals named on the record
And this brings into question the next issue, which was highlighted in the recent hack of the World Anti-Doping Agency (WADA) allegedly by the Russian group, Fancy Bear.
Super-athletes such as Sir Bradley Wiggins and Mo Farah were both found to have filed papers which would allow them to use certain medicines under agreements called Therapeutic Use Exemptions (TUE) which would allow an athlete to take certain medication which is on WADA's prohibited list.
Putting the sports aspects aside, the athletes all argued that this data breach, due to the public's perception of the issue, had them branded as cheats. Claims were made that their reputations were broken, despite the use of TUEs being completely within the law.
Many would ask, if a data breach occurs, and Bradley Wiggins as a brand has a damaged reputation and this resulted in loss of income through lost sponsorships, for example, how would one insure against this damage to reputation?
The same issue was debated when it was announced that TalkTalk had lost 160,000 retail customers since it became the victim of a headline-grabbing cyber-attack in October 2015, contributing to a 56 percent fall in pre-tax profit for the financial year.
Pre-tax profits for the 2016 financial year were £14 million compared to £32 million in FY15, the company said when it published its preliminary results for the year to 31 March 2016.
Finally, it is well known that hackers and their methods are under continuous development. Especially when it comes to nation states, which can afford to hire hackers who can spend their days exclusively looking for ways into a system.
Unfortunately, this makes it very difficult to insure and legislate against, and it requires insurers to work at a much quicker speed.
‘Coin-Clusions’
Finally, companies would need to find a way to prove they were in compliance with their policy at the time the crime was committed. It is similar to how the new EU General Data Protection Regulation requires proof that, should a breach occur, the company took every effort to encrypt the data to minimise the fallout of a breach. Presumably, a company would be required to prove that its security measures were all active and in place at the time of the crime.
So it is very clear that an objective, evidence-based cyber-risk metric is needed to measure security effectiveness, not simply policies and procedures, but a metric which can offer underwriters a uniquely distinctive tool in helping to assess the potential for cyber-loss at a particular company.
Algorithms used to calculate cyber-risk metrics can analyse vast amounts of data, including Internet communication and evidence of actual security compromises and vulnerabilities. Underwriters can use this information, in addition to their other underwriting procedures, to provide a critical window of visibility into a company's security posture.
Currently there is no baseline for what is acceptable cyber-security, and while Cyber Essentials is providing a baseline for companies dealing with government, it is likely to be insurance requirements that set the benchmarks for the private sector.
Peter Woollacott, CEO of Huntsman Security spoke with SC and said that: “Cyber-security functions of enterprises and SMEs alike are growing and maturing. As a response, cyber-threats are now being taken as a serious business risk. Companies require quicker detection, analysis, and response as the number of attacks grows and automation is coming to help with this, and should assist with analyst speed times. However, the reality is, there simply aren't enough staff to deal with the issues at hand, even with a growth in business security culture.”
Woollacott concluded: “It is because of this gap that the risk has arisen, and with it the need to insure against said risk. With a ‘robbing' almost inevitable, and insurers and underwriters struggling to put a price on it due to a lack of information and data, we're going towards a world where if a company implements certain security measures they will get a relief on their insurance bill.”
“The Target case, and its subsequent US $300 million (£246 million) insurance bill set a baseline for a young but quickly maturing cyber-insurance industry. We're going to see a lot more of this, where a meeting between cost of the insurance and risk reduction will meet, which should hopefully bring about both better security and cheaper insurance. But first comes the challenge of actually being compliant with the policy,” said Woollacott.
