Cyber Insurance cs5493(7493)
AKA E-commerce insurance E-business insurance Information system insurance Network intrusion insurance
Brave New World New field of insurance, policies begin appearing at the beginning of the 21 st century.
Old vs New What do traditional insurance policies cover?
Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire
Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood
Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood Theft
Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood Theft Other natural disasters.
Traditional Policies Traditional insurance policies do handle tangible loss and damage claims due to Fire Flood Theft Other natural disasters Liability claims.
Traditional Policies Traditional policies would not cover financial losses related to lost data. Data losses are not covered for DoS or mal-ware attacks.
Traditional Policies: Data Loss Claims For that distinction you can thank American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc., a U.S. District Court ruling in Arizona in The court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee. "After that, the insurance firms changed their policies to state that data is not considered tangible property,“ (Kalinich) The upshot is that an enterprise needs special cyber insurance to cover data-related issues.
Legal Precedence High profile cases against the insurer will cause all insurers to change their policy offerings.
Cyber-Insurance The gap left by traditional policies created a market for cyber-insurance. Example: traditional policies do not cover: Data loss from malware (AGLI vs Ingram Micro) Revenue loss from DoS attacks Contacting individuals who have had their private information hacked. Re-issuing compromised credit-card info. Etc.
Cyber Insurance Challenges Insurance market inefficiencies
Cyber Insurance Challenges Insurance market inefficiencies Asymmetric information
Cyber Insurance Challenges Insurance market inefficiencies Asymmetric information Mono-cultures
Cyber Insurance Challenges Insurance market inefficiencies Asymmetric information Mono-cultures Moral hazard
Cyber Insurance Inefficiencies New field of insurance, policies begin appearing at the beginning of the 21 st century. Not much data for actuaries to determine the risks
Cyber Insurance Inefficiencies New field of insurance, policies begin appearing at the beginning of the 21 st century. Not much data for actuaries to determine the risks Prices of policies vary greatly from one product offering to the next.
Cyber Insurance Inefficiencies New field of insurance, policies begin appearing at the beginning of the 21 st century. Not much data for actuaries to determine the risks Prices of policies vary greatly from one product offering to the next. Insurance regulators have little guidance for monitoring cyber-insurance policies.
Cyber Insurance Inefficiencies Insurers face a small market for reinsurance available for cyber-policies
Reinsurance Insurance carriers can purchase insurance to spread their risk to other firms.
Claims Signs of an immature product offering: Early claims made under cyber-polices were contentious (ended up in court) Court disputes were not consistent due to lack of precedence.
Lack of Standards There are no standard products, insurers are creating polices on a case-by-case basis. There are no standard products for insurance regulators to examine
Asymmetric Information If a firm purchases a $25-million dollar policy, they must have a good reason to do so. (is it in the best interest for the insurer to offer such a policy?)
Mono-culture Risk An insurance company must have a diverse base to reduce the possibility of being overwhelmed by a single event generating too many claims.
Mono-Culture Risk The interdependency and correlation of risk to insurers impose a high probability of excessive losses. Insurers need a diverse and large policyholder base.
Cyber Insurance Mono-Cultures The IT industry carries the risk of installed system mono-cultures: Millions of systems run MS Windows and all could be vulnerable to the same attack.
Cyber Insurance Mono-Cultures The IT industry carries the risk of installed system mono-cultures: Millions of systems run MS Windows and all could be vulnerable to the same attack. Some attacks carry a high probability of excessive payouts by the insurers.
Moral Hazard Under full insurance, the insured has little incentive to undertake precautionary measures because losses are compensated.
Moral Hazard Insurance companies have strategies to reduce their moral hazard risk.
Moral Hazard Ways to mitigate moral hazard: Impose claim limits
Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims
Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost
Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured
Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured Fraudulent claims and criminal behavior of the insured are not covered.
Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured Fraudulent claims and criminal behavior of the insured are not covered. Policyholder must meet a standard of care
Moral Hazard Ways to mitigate moral hazard: Impose claim limits Deductible requirement on claims Claims have a monetary convenience cost Increase premium rates to the insured Fraudulent claims and criminal behavior of the insured are not covered. Policyholder must meet a standard of care Contracts must be renewed annually, the insurer can terminate the relationship
Standard of Care Requirements The insurers are making standard of care requirements mandatory for cyber-insurance coverage.
Standard of Care Requirements Data backup and procedures
Standard of Care Requirements Data backup and procedures Data backup storage
Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls
Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware)
Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware) Well defined security plan
Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware) Well defined security plan Password management
Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware) Well defined security plan Password management Employee security awareness training
Standard of Care Requirements Data backup and procedures Data backup storage Network Firewalls Security software – (i.e. anti-malware) Well defined security plan Password management Employee security awareness training Software updates/patches
Standard of Care Requirements Standard configurations
Standard of Care Requirements Standard configurations Encryption
Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring
Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls
Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls Remote access controls
Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls Remote access controls Privacy and confidentiality policies
Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls Remote access controls Privacy and confidentiality policies Business continuity (disaster) plan
Standard of Care Requirements Standard configurations Encryption Vulnerability monitoring Physical security controls Remote access controls Privacy and confidentiality policies Business continuity (disaster) plan Testing of security controls
Standard of Care Requirements Logging events Measuring effectiveness of security controls
Standard of Care Requirements The insurers are providing cyber risk- management services to help clients identify vulnerabilities.
Cyber Insurance Providers AIG Zurich North America Saint Paul Companies Liberty Mutual Lloyds of London Chubb Group INSUREtrust
Policy Premiums Policy premiums are based on a wide number of factors:
Policy Premiums Policy premiums are based on a wide number of factors: Size of company
Policy Premiums Policy premiums are based on a wide number of factors: Size of company Amount of data to protect
Policy Premiums Policy premiums are based on a wide number of factors: Size of company Amount of data to protect Past losses and previous claims
Policy Premiums Policy premiums are based on a wide number of factors: Size of company Amount of data to protect Past losses and previous claims Number of individuals having privileged access
Policy Premiums Policy premiums are based on a wide number of factors: Size of company Amount of data to protect Past losses and previous claims Number of individuals having privileged access standard of care enforcement
Policy Premiums AIG Small company can spend as little as $1000/year for up to $100K coverage.
Policy Premiums AIG Small company can spend as little as $1000/year for up to $100K coverage. More comprehensive coverage can be purchased for $50,000/year.
Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims (mandated by law in many instances)
Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident
Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims
Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims Credit restoration services for victims
Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims Credit restoration services for victims Crisis management services
Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims Credit restoration services for victims Crisis management services Replacement of effected equipment.
Coverage (Chubb Group) Data Breach Coverage includes cost of Notifying victims Call center support for the incident Credit monitoring for victims Credit restoration services for victims Crisis management services Replacement of effected equipment. Data recovery costs
Coverage (INSUREtrust) Regulatory & Civil Action Coverage Fines from private and government regulatory agencies (under HIPPA, SOX, …)
Coverage (INSUREtrust) Regulatory & Civil Action Coverage Fines from private and government regulatory agencies (under HIPPA, SOX, …) Civil class-action and individual lawsuits Study liability insurance from other held policies to insure you are not paying for double coverage, insurance companies will not double cover on a claim.
Coverage (Chubb) Cyber extortion coverage For cases where a hacker steals data from the policy holder and then tries to sell it back, or someone plants a logic bomb in the policy holder's system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the expense of offering a reward leading to the arrest of the perpetrator
Coverage Virus liability: Pays in cases where the policy holder is sued by someone who claims to have gotten a virus from the policy holder's system
Coverage Revenue lost For example, revenues lost due to DDOS attacks.
Coverage A new provision in cyber-insurance includes “damage to reputation”
Coverage
Total Cyber Policy Coverage Insurance provider Willis NA, estimates about $750 million dollars in total polices worldwide (P. Foster, Dec 2011) Cyber insurance coverage increased to above estimated $1.2 Billion in (total insurance market place is $1.1 Trillion, Insurance Information Institute) A 20% increase over 2011 (Marsh&McLennan) A 33% increase over (ibid)
Coverage Growth Cause Regulatory requirements that customers be notified when their data is compromised.
Example of Cyber Insurance The Target Stores security breach resulted in $61 million dollars in expenses (Reuters, 2014). A cyber insurance policy covered $44million of those expenses. This resulted in a net loss of $17 million for Target.
Regulation vs Insurance Regulation has punitive measures for non- compliance: fines and incarceration Insurance is used to transfer risks, there are no fines or incarceration, only the threat of monetary loss, reputation, etc.
Regulation vs Insurance What if government agencies and contractors were required to purchase cyber insurance rather than using punitive measures? What if the government provided a temporary reinsurance market to help the overall marketplace grow? There would be resistance to such suggestions (Whitehouse paper 2005).