- tl;dr sec
- Posts
- Cyber Insurance: A Primer for Infosec
Cyber Insurance: A Primer for Infosec
Nicole Becher, Director of Information Security & Risk Management, S&P Global Platts twitter, linkedin
abstract slides video
This talk is a really fun and info-dense whirlwhind tour of cyber insurance. Frankly, there’s too much good content for me to cover here, so I’ll do my best at providing an overview of the content Nicole covers with a few of the key points.
Nicole gave this talk because the cyber insurance industry is growing rapidly and at some point, we in the infosec community are going to have to be involved, so she wants to describe the key terminology and context we need to be reasonably informed.
Insurance is a mechanism individuals or organications use to limit their exposure to risk. Individuals band together to form groups that pay for losses. By forming groups, the risk is spread and no individual is fully exposed.
Nicole gives a quick history of the insurance industry, from Hammurabi, medieval guilds, Pascal’s tables (which led to actuarial tables, underwriting, and affordable insurance) to Ben Franklin.
The insurance industry has evolved over time, based on new technology and risks; for example, fire insurance after the great fire of London, automobile insurance once cars became widespread, and now cyber insurance.
Insurance Industry Today
There are 3 major market participants:
Brokers / Agents: Act as middlemen between the insurance buyer and the carrier. Must be licensed and regulated. They develop the sales infrastructure needed to sell insurance on behalf of the carrier.
Carriers: The company that holds the insurance policy; they collect premiums and are liable for a covered claim. They pool the risk of a large number of policy holders by paying out relatively few claims while collecting premuims from the majority of policyholders who don’t file claims over the same period.
Reinsurers: Insurance purchased by insurance carriers to mitigate the risk of sustaining a large loss. The carriers esll of portioins of their portfolio to a reinsurer that aggregates the risk at a higher level. This spreading of risk enables an individual insurance company to take on clients whose coverage would be too much of a burden for a single insurance company to handle alone.
Reinsurance blew my mind at first, but it makes sense.
Nicole walks through several types of insurance companies, including standard lines, excess lines, captives, direct seller,s domestic/alien, Lloyds of London, mutual companies, and stock companies.
Cyber Insurance - Background
The Cyber Insurance market is still early: only 15% of US companies have it and only 1% world-wide. As of 2016, it’s a $2.5B - $3.5B market and it’s estimated to be a $12B - $20B market by 2020.
A key distinction is differentiating between first party and third party insurance, both of which can be held by a company, individual, or group of individuals.
First party covers the policy holder against damages or losses to themselves or their property. Examples:
Breach notification
Credit monitoring services
PR campaign services
Compensating the business for lost income
Paying a ransom or extornist who holds data hostage
Third party protects the policy holder against liability for damages or losses they caused to a person or property. Examples:
Covers the people and businessses “responsible” for the systems that allowed a data breach to occur
Lawsuits relating to a data breach
Privacy liability
Technology errors & omissions
Writing and shipping vulnerable code/IoT
Key Terms
Coverage is the amount of risk or liability covered by a specific insurance policy, paid out up to a limit. A typical insurance policy is a collection of a series of coverages, each of which have their own sub-limit.
Exclusions define the types of risk that what will not be covered.
Important Note: coverages will typically specify whether it’s for first party or third party losses, and it’s critical to examine these terms.
Example Policies
Nicole then walks through a number of example policies composed of several coverage subcomponents, each having their own risk area and sub-limit. The examples are: incident response, cyber crime, system damage and business interruption, network security and privacy liability, media liability, technology errors and omissions, and court attendance costs.
Common Exclusions
Common exclusions that will not be covered by cyber insurance include: property damage or bodily injury due to security incidents, loss of IP, acts of war and terrorism (you’ve been hacked by a nation state), unlawful data collection (you collected data you shouldn’t have), failure to follow minimum security expectations which lead to a breach, there was a core Internet failure (e.g. in root DNS servers).
You need to negotiate exclusions. They are important and vary by carrier. The devil is in the details.
Nicole concludes with a number of challenges underwriters face, the people who evaluate risk and determine policy pricing, as well as some important legal tests of cyber insurance.
Can Cyber Insurance Help Align Incentives?
One point that Nicole made, that I thought was neat, was that hopefully cyber insurance will eventually to align economic incentives for security teams to do the right thing, not just because the security manager doesn’t want to get fired or have their company in the news. There have been a number of similar historical cases, like when homes had to be built to a fire-resistant code to be covered under the fire insurance Ben Franklin set up. Ideally, cyber insurance will be able to map risk to specific controls, which security teams can then use to justify headcount and budget, measurably improving their company’s security.
You can learn more and read some public cyber insurance polices in the SERFF Filling Acess system, an online electronic records system managed by the National Association of Insurance Commissioners (NAIC).