Ask Slashdot: Cyber Insurance. Solution Or Snake Oil? 71
onehitwonder writes "A recent article in The Wall Street Journal's CIO Journal argues in favor of the benefits of cyber liability insurance — policies designed to help companies cover costs they incur in the aftermath of data breaches (whether for investigation, remediation, customer notification, regulatory fines or legal settlements). Two Deloitte consultants interviewed for the article argue that cyber insurance can help companies offset the increasingly staggering costs of a data breach. (Several of the biggest data breaches in recent history, including Heartland and TJX, have cost those companies hundreds of millions of dollars. A Mizuho Investors Securities analyst estimated the total cost of the 2011 Sony data breaches at $1.25 billion.) The question is: will insurance providers really come through when companies begin filing claims on their cyber liability policies, or will they find ways out? A 2011 article from Computerworld notes that even though a growing number of companies have been purchasing cyber insurance, it's hard to find examples where one of those policies has actually covered the costs of a data breach. Moreover, the Computerworld article points out that many cyber insurance policies cover only the cost of re-creating whatever data may have been lost during the breach — not notification costs, legal costs or other related expenses."
Really? That's a question? (Score:3)
If you don't get too screwed, they'll probably pay out, just because it improves their reputation enough to improve their bottom line.
Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!
Re:Really? That's a question? (Score:4, Informative)
Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!
That is in effect the essential idea of insurance. Its a wager. Clearly it only works if more money gets taken from "losers" than gets paid to "winners."
Re: (Score:1)
Might as well buy a lottery ticket instead!
Re: (Score:2)
Re: (Score:2)
That's what re-insurance is for, they insure the insurance company in case there are too many pay outs for them to remain insolvent.
What's more, insurance is typically regulated, which means that there are limitations on when they can refuse a claim. In most cases they have to pay out, provided the incident is covered and unless they have evidence of insurance fraud.
In practice, they'll usually pay unless there's flagrant fraud going on, but if the incident shouldn't have been covered, they'll often times j
Re: (Score:2)
He should have read the fine print. Also, I find this highly improbable. My insurance has a similar clause in it for when I go to a different hospital that they don't have a contract with. They still have to pay, it's just that I have to get authorization and I might have to be moved to a different hospital. I'd have contacted the insurance commissioner, because that doesn't sound legal.
As for the casino analogy, that's a stretch. Insurance is there to put you back where you would have been had you not resu
Re: (Score:2)
Re:Really? That's a question? (Score:5, Insightful)
Re: Really? That's a question? (Score:1)
Re: (Score:2)
The point of insurance is to cover potential expenses that you cannot cover yourself by joining a risk sharing pool.
If somebody at WalMart offers to sell you a $20 insurance policy on a $100 bike, then you're a fool to take it because you can cover the $100 yourself.
If you can't cover the cost of rebuilding your $200,000 house out-of-pocket, then you better have fire insurance on it.
Those things aside, insurance creates an incentive to do good things. If you have smoke detectors and fire extinguishers in y
Re: (Score:3)
Re: (Score:2)
No system is 100% secure or safe, insurance takes a fee to pay for the repairs or lawsuits if something that you can't prevent happens. For instance, auto insurance often times covers uninsured motorists that crash into you due to their negligence. Sure, you can sue them, but a person like that might not have sufficient assets to pay reparations for the damage. And if they die, the estate may not have sufficient cash to pay off any claims. In terms of crackers, even if you do manage to catch them, how many
Re: (Score:2)
You feel that disasters happen, and that you should be prepared (by having insurance)
I feel that disasters are rare. Most (not all) disasters are also avoidable IMNSHO.
As an example, my car has been broken into twice in the last 15 years. (my car is very easily broken into...) On the first occasion, they got a laptop and some other stuff, on the second occasion they got about $5.00 in parking change. Let's say the two thieves got away with $1000 in goods
Re: (Score:2)
Right, and you don't understand insurance. And you also don't understand basic statistics. It doesn't really matter if it's a 1 in a million risk if ultimately it does happen and you lose your house over it. That's where insurance comes in handy. The insurers have actuaries that estimate the likelihood of the event happening and the price tag if it does happen. And they're surprisingly good. They might not know exactly what your risks are, but they're pretty good.
Insurance isn't really there for things you
Re: (Score:2)
The point of insurance is to cover potential expenses that you cannot cover yourself by joining a risk sharing pool.
Tell that to health insurance in America.
The kind of insurance that you are talking about (classic catastrophic coverage) isnt enough to avoid new federal fines for not being insured enough. You must "share the risk" of things like yearly checkups, too.
Re: (Score:2)
That is in effect the essential idea of insurance. Its a wager. Clearly it only works if more money gets taken from "losers" than gets paid to "winners."
If it were merely that, insurance companies would be a nearly honest business, like bookies or casinos...
The trouble is not so much that, for insurance to be something worth offering, the sum paid in (by all subscribers) must be greater than the sum paid out (to parties who end up making claims); but that insurers are...talented and creative... when it comes to reducing both the number of eligible claimants and the size of eligible claims. At least in ordinary gambling, the rules of the game are generally f
Re: (Score:2)
Not really. People who treat insurance that way don't understand insurance. The point of insurance isn't to win some sort of lottery. On average, you will pay more for your insurance premium than you will for your claims. What insurance does is let you take an existing, expensive risk, and ameliorate it over time.
Take home insurance. Say your home and contents is worth $100,000. The existing risk is that if your house burns down, you're up for a $100,000 bill to replace everything. Say the premiums for your
Re: (Score:2)
Just a hunch, but, maybe people should check to see if these "insurance" companies are allowed to operate in their state before getting happy with the checkbook.
Re: (Score:2)
We buy insurance to hedge against a major problem. House on fire, theft, car accident, floods, law suites... For the most part stuff you normally don't want to happen to you. The Insurance company job is to cover you in case of the problem.
Now they can't operate without making money, and they are for profit. So they will try to make sure they will make their money on the whole. They do this by charging a fee for service. Now the cost of the fee per service needs to be high enough to cover your probabili
Re: (Score:2)
Apparently, to actually be covered you need insurance insurance and insurance insurance insurance.
Negligence will be the keyword (Score:3)
When you look at the various data breeches that became public in the more recent past (especially those done as some kind of protest or out of spite, to harm a company in its goodwill) and analyze the attack vector, you cannot help but shake your head in disbelief. The vectors range from SQL injections to exploits in ancient software that should have been patched months, if not years ago. If that isn't the textbook example of negligence, what is?
Still, I'm all FOR insurance. Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk. If you invest in security, your insurance premium would be lower, and we might FINALLY see some CEOs invest in security since now they can see that it's cheaper than paying for the insurance, since they're blind to the fact that it's cheaper than paying for the fallout.
Yes and no ... (Score:2)
So it's reasonable to assume that they will impose more effective and more thorough security standards than companies would otherwise do. Just think about fire hazards. Most companies I know of implement fire prevention measures, install firefighting equipment, and conduct fire drills because they are obligated to
Re: (Score:2)
There is a good bit of focus on the financial, but only because that is what buyers of insurance tend to want--protection from financial loss. There are some buyers who are also concerned about reputation damage from crisis situations, and there are insurance policies for that as well. Crisis coverage is generally added as a feature of a Directors & Officers Liability policy rather than a specialized cyber policy. It is a coverage that provides access to specialized PR services.
On the question about
Re: (Score:2)
Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk.
Spot on. It seems some people may think that insurance is some magic wand that will miraculously make losses disappear. I bet no insurance company will offer such an insurance without pretty detailed requirements and audits. In the end, those who can get the insurance at a price they are willing to pay may not actually need it...
Re: (Score:2)
I wouldn't mind that. You'll notice that very much the same applies for a lot of other insurances. Fire insurances are notorious to require rather ludicrous standards in some areas where you eventually wonder whether the fire would have been cheaper ... if it could still occur, that is.
Windows == negligence (Score:2)
Windows user pay higher premiums [cnet.com], but at this point it could qualify as willful negligence. Sure the system may have come with Windows but that's no excuse not to clean it off before connecting to the net.
Re: Windows == negligence (Score:1)
Re: (Score:2)
In addition to security there is also the ease of maintenance that you gain by eliminating windows. But security alone should be enough to force the decision by insurance companies offering 'hacker insurance': Time may go by and the name may change, but it is still the old NT kernel underneath.
The Vista series is as vulnerable as XP [crn.com]. That includes Vista 7 and Vista 8. Every few months you have vulnerabilities that affect the whole zoo [rdot.org]. On top of that you have a thriving ecosystem of malware flame [arstechnica.com] and
Re: (Score:1)
Insurers don't price to set best practices for individuals - they price to ensure that every cohort is sufficiently profitable.
For example, it used to be the case in the UK that car insurance for young men was way more expensive than young women. In fact, women made more claims, but what really skewed things was a small proportion of extremely irresponsible young men who were involved in major and expensive incidents, skewing the "cost" of providing policies for the overall group of young men. Since the ins
medieval insurance (Score:1)
I have found great benefit in replacing the word "cyber" with the word "medieval" whenever I'm asked to evaluate things like this. It's fairly easy to do with a quick search and replace.
Rethink (Score:2)
I would hope that a company that takes reasonable steps to secure data is not liable for leaks. But if the leak is an exploit of software that is not open to study by the public then the creator of the software should bear the expenses involved. Open code should relieve liabilities.
Re: (Score:3)
Oh, please. Both open source and proprietary software has exploits. Just who is going to pay when a company uses open source gets hacked? "The community"?
Cybersecurity is hard (Score:3)
Show us the math (Score:4, Interesting)
Re: (Score:2)
How do these companies arrive at hundreds of million/billion dollars worth of "damages" anyway? Is this using the MPAA/RIAA method of accounting?
100 million customers X $0.30 postage per breach notification + $0.01 paper stock per breach notification = $3.1 million
Estimated customer turnover (loss of subscribers due to breach): 5%
Estimated average customer age = 17
Estimated customer lifespan (age at which they would naturally stop using our product) = 100
5
Re: (Score:2)
Where does the figure come from?
It's the cost of having your obscenely overpriced lawyers shift the blame for managerial incompetence onto some teenager.
Re: (Score:2)
As someone who's had to do the security audit on a major (make the news) breach I can give some insight. Let's say you got busted a company for hacking their email list so that you could send an angry rant to their CEO. On your way to getting the email list you took a look through their databases and papers just because you could and you were curious. One thing led to another and now your being sent a bill by the judge for 6 or 7 figures and your wondering how the hell they came up with the figure.
The first
Re: (Score:1)
I'm leaning more towards snake oil (Score:1)
Ways out for the insurance companies (Score:5, Funny)
- We took the money and ran, your coverage is void.
- You failed to adequately protect your network, your coverage is void.
- You angered nerds, you brought this on yourself, your coverage is void.
Re: (Score:2)
We spent all of your money before the close of the bank day.
So sue us....
At least we kissed your ass and gave you a doughnut.
Unconventional definition of loss? (Score:2)
many cyber insurance policies cover only the cost of re-creating whatever data may have been lost during the breach — not notification costs, legal costs or other related expenses."
Data loss in a security breach usually and normally refers to the data that was exfiltrated or successfully leaked by an attacker. For example: Data Loss Protection software is designed to detect attempts to send personally identifiable information such as social security numbers over e-mail or upload it out of the
Cyber Insurance == Correlated Risk (Score:1)
Take fire insurance for example. A fire that happens in say Miami, FL is most likely not going to increase the risk of a fire occurring in Seattle, WA. Therefore a fire insurance company can make sure that the clients they select are geographically distributed to distribute the r
But Don't we really already know the answer? (Score:2)
Anti-virus companies have been found to use scare tactics. And there would have to be such payout conditions that eliminate payouts for faulty IT work that contributed to a breach.
What we make we can break.... And since breaking would be a real easy thing to do...... I believe its called insurance fraud..... But here its a how easy is it to do and get away with? And then there are losses that cannot be recovered, once exposed to the public.
And where are the insurance companies going to get the payout money
Ophidian lipids, no doubt (Score:2)
Insurance means nothing in the current environment (Score:2)
For starters, the 1.25 Billion estimate of Sony's lost is pure bullshit.
Even the TJX numbers are not likely a realistic representation. If you go back and review their stock price in the time frames which the breach was announced and subsequent news was released, a small hit seemed to occur, but it did not have a long term impact. The sad reality is that their security efforts were a joke, and yes it costs them, but quite likely not more than it would have cost them to have put forth a considerable effort o
security system (Score:1)
Part of an Overall Compliance Strategy (Score:2)
2. Mitigate where possible
3. Insure the rest
I will offer them insurance (Score:2)