Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security The Almighty Buck IT

Ask Slashdot: Cyber Insurance. Solution Or Snake Oil? 71

onehitwonder writes "A recent article in The Wall Street Journal's CIO Journal argues in favor of the benefits of cyber liability insurance — policies designed to help companies cover costs they incur in the aftermath of data breaches (whether for investigation, remediation, customer notification, regulatory fines or legal settlements). Two Deloitte consultants interviewed for the article argue that cyber insurance can help companies offset the increasingly staggering costs of a data breach. (Several of the biggest data breaches in recent history, including Heartland and TJX, have cost those companies hundreds of millions of dollars. A Mizuho Investors Securities analyst estimated the total cost of the 2011 Sony data breaches at $1.25 billion.) The question is: will insurance providers really come through when companies begin filing claims on their cyber liability policies, or will they find ways out? A 2011 article from Computerworld notes that even though a growing number of companies have been purchasing cyber insurance, it's hard to find examples where one of those policies has actually covered the costs of a data breach. Moreover, the Computerworld article points out that many cyber insurance policies cover only the cost of re-creating whatever data may have been lost during the breach — not notification costs, legal costs or other related expenses."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Cyber Insurance. Solution Or Snake Oil?

Comments Filter:
  • by Jstlook ( 1193309 ) on Sunday August 04, 2013 @05:30AM (#44469005)
    Insurance companies *always* try to find a way out. That's their job; protect their bottom line.

    If you don't get too screwed, they'll probably pay out, just because it improves their reputation enough to improve their bottom line.

    Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!
    • by Rockoon ( 1252108 ) on Sunday August 04, 2013 @05:42AM (#44469031)

      Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!

      That is in effect the essential idea of insurance. Its a wager. Clearly it only works if more money gets taken from "losers" than gets paid to "winners."

      • by Anonymous Coward

        Might as well buy a lottery ticket instead!

      • Frankly when you are talking about something that can cost over 100 million if you are a big company and get hacked? hell you might as well use the monthly premiums for blackjack because you KNOW they'll just file bankruptcy if you try to cash it in.

        The simple fact of the matter is the ONLY way insurance works is if there are enough buyers to 1.- pay out any losses and 2.- if its a publicly traded company pay for the ever higher profits they have to show to keep the stocks from tanking. When you are talki

        • That's what re-insurance is for, they insure the insurance company in case there are too many pay outs for them to remain insolvent.

          What's more, insurance is typically regulated, which means that there are limitations on when they can refuse a claim. In most cases they have to pay out, provided the incident is covered and unless they have evidence of insurance fraud.

          In practice, they'll usually pay unless there's flagrant fraud going on, but if the incident shouldn't have been covered, they'll often times j

      • by graphius ( 907855 ) on Sunday August 04, 2013 @10:30AM (#44469869) Homepage
        I am not a fan of insurance in general. In essence, you are betting against yourself. For the case of this article, why don't you take the money you pay in insurance premiums and invest it in securing your systems... Seems like a better bet to me.
        • Law of diminishing returns. There are a few good journal papers looking at the optimum investments into IS from game theoric and other modeled approaches In short: at some point the economic investment of continued improvement is offset by the likelihood of that vulnerability being exploited. At that point if the risk is still above an acceptable level your only real option is transference.
        • The point of insurance is to cover potential expenses that you cannot cover yourself by joining a risk sharing pool.

          If somebody at WalMart offers to sell you a $20 insurance policy on a $100 bike, then you're a fool to take it because you can cover the $100 yourself.

          If you can't cover the cost of rebuilding your $200,000 house out-of-pocket, then you better have fire insurance on it.

          Those things aside, insurance creates an incentive to do good things. If you have smoke detectors and fire extinguishers in y

          • so in other words, insurance motivates you to do things you should do anyway. And for the privilege of this knowledge you get to pay them less. The other alternative is to do these things anyway.... Yes I know that, in theory, insurance can be a way to balance risk over a wider group. However, much modern insurance is a money grabbing scam. Most people are way over insured, and pay more in premiums that the realistic risk.
            • No system is 100% secure or safe, insurance takes a fee to pay for the repairs or lawsuits if something that you can't prevent happens. For instance, auto insurance often times covers uninsured motorists that crash into you due to their negligence. Sure, you can sue them, but a person like that might not have sufficient assets to pay reparations for the damage. And if they die, the estate may not have sufficient cash to pay off any claims. In terms of crackers, even if you do manage to catch them, how many

              • I think you and I disagree on a fundamental point.
                You feel that disasters happen, and that you should be prepared (by having insurance)
                I feel that disasters are rare. Most (not all) disasters are also avoidable IMNSHO.

                As an example, my car has been broken into twice in the last 15 years. (my car is very easily broken into...) On the first occasion, they got a laptop and some other stuff, on the second occasion they got about $5.00 in parking change. Let's say the two thieves got away with $1000 in goods
                • Right, and you don't understand insurance. And you also don't understand basic statistics. It doesn't really matter if it's a 1 in a million risk if ultimately it does happen and you lose your house over it. That's where insurance comes in handy. The insurers have actuaries that estimate the likelihood of the event happening and the price tag if it does happen. And they're surprisingly good. They might not know exactly what your risks are, but they're pretty good.

                  Insurance isn't really there for things you

          • The point of insurance is to cover potential expenses that you cannot cover yourself by joining a risk sharing pool.

            Tell that to health insurance in America.

            The kind of insurance that you are talking about (classic catastrophic coverage) isnt enough to avoid new federal fines for not being insured enough. You must "share the risk" of things like yearly checkups, too.

      • That is in effect the essential idea of insurance. Its a wager. Clearly it only works if more money gets taken from "losers" than gets paid to "winners."

        If it were merely that, insurance companies would be a nearly honest business, like bookies or casinos...

        The trouble is not so much that, for insurance to be something worth offering, the sum paid in (by all subscribers) must be greater than the sum paid out (to parties who end up making claims); but that insurers are...talented and creative... when it comes to reducing both the number of eligible claimants and the size of eligible claims. At least in ordinary gambling, the rules of the game are generally f

      • Not really. People who treat insurance that way don't understand insurance. The point of insurance isn't to win some sort of lottery. On average, you will pay more for your insurance premium than you will for your claims. What insurance does is let you take an existing, expensive risk, and ameliorate it over time.

        Take home insurance. Say your home and contents is worth $100,000. The existing risk is that if your house burns down, you're up for a $100,000 bill to replace everything. Say the premiums for your

    • by flyneye ( 84093 )

      Just a hunch, but, maybe people should check to see if these "insurance" companies are allowed to operate in their state before getting happy with the checkbook.

    • We buy insurance to hedge against a major problem. House on fire, theft, car accident, floods, law suites... For the most part stuff you normally don't want to happen to you. The Insurance company job is to cover you in case of the problem.
      Now they can't operate without making money, and they are for profit. So they will try to make sure they will make their money on the whole. They do this by charging a fee for service. Now the cost of the fee per service needs to be high enough to cover your probabili

    • by sjames ( 1099 )

      Apparently, to actually be covered you need insurance insurance and insurance insurance insurance.

  • by Opportunist ( 166417 ) on Sunday August 04, 2013 @05:46AM (#44469041)

    When you look at the various data breeches that became public in the more recent past (especially those done as some kind of protest or out of spite, to harm a company in its goodwill) and analyze the attack vector, you cannot help but shake your head in disbelief. The vectors range from SQL injections to exploits in ancient software that should have been patched months, if not years ago. If that isn't the textbook example of negligence, what is?

    Still, I'm all FOR insurance. Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk. If you invest in security, your insurance premium would be lower, and we might FINALLY see some CEOs invest in security since now they can see that it's cheaper than paying for the insurance, since they're blind to the fact that it's cheaper than paying for the fallout.

    • Yes, insurance companies are a lot more risk minded than the average company. They also see a lot more 'fail' events than any single ordinary company so they are much more aware of various risks.

      So it's reasonable to assume that they will impose more effective and more thorough security standards than companies would otherwise do. Just think about fire hazards. Most companies I know of implement fire prevention measures, install firefighting equipment, and conduct fire drills because they are obligated to

      • by lpevey ( 115393 )

        There is a good bit of focus on the financial, but only because that is what buyers of insurance tend to want--protection from financial loss. There are some buyers who are also concerned about reputation damage from crisis situations, and there are insurance policies for that as well. Crisis coverage is generally added as a feature of a Directors & Officers Liability policy rather than a specialized cyber policy. It is a coverage that provides access to specialized PR services.

        On the question about

    • Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk.

      Spot on. It seems some people may think that insurance is some magic wand that will miraculously make losses disappear. I bet no insurance company will offer such an insurance without pretty detailed requirements and audits. In the end, those who can get the insurance at a price they are willing to pay may not actually need it...

      • I wouldn't mind that. You'll notice that very much the same applies for a lot of other insurances. Fire insurances are notorious to require rather ludicrous standards in some areas where you eventually wonder whether the fire would have been cheaper ... if it could still occur, that is.

    • Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk.

      Windows user pay higher premiums [], but at this point it could qualify as willful negligence. Sure the system may have come with Windows but that's no excuse not to clean it off before connecting to the net.

      • Way to pick a 10 year old OS. Current NIST and US-CERT advisories have everyone on a pretty even playing field. Unless we're going to have our office personnel running secure BSD, OS comparison is pointless without discussing overall governance.
        • In addition to security there is also the ease of maintenance that you gain by eliminating windows. But security alone should be enough to force the decision by insurance companies offering 'hacker insurance': Time may go by and the name may change, but it is still the old NT kernel underneath.

          The Vista series is as vulnerable as XP []. That includes Vista 7 and Vista 8. Every few months you have vulnerabilities that affect the whole zoo []. On top of that you have a thriving ecosystem of malware flame [] and

    • Insurers don't price to set best practices for individuals - they price to ensure that every cohort is sufficiently profitable.

      For example, it used to be the case in the UK that car insurance for young men was way more expensive than young women. In fact, women made more claims, but what really skewed things was a small proportion of extremely irresponsible young men who were involved in major and expensive incidents, skewing the "cost" of providing policies for the overall group of young men. Since the ins

  • by Anonymous Coward

    I have found great benefit in replacing the word "cyber" with the word "medieval" whenever I'm asked to evaluate things like this. It's fairly easy to do with a quick search and replace.

  • I would hope that a company that takes reasonable steps to secure data is not liable for leaks. But if the leak is an exploit of software that is not open to study by the public then the creator of the software should bear the expenses involved. Open code should relieve liabilities.

    • by murdocj ( 543661 )

      Oh, please. Both open source and proprietary software has exploits. Just who is going to pay when a company uses open source gets hacked? "The community"?

  • by iritant ( 156271 ) <> on Sunday August 04, 2013 @06:28AM (#44469143) Homepage
    And here [] is a great article from researcher Rainer Bohme that explains why it's hard. It's a fairly technical paper, but one big issue is that insurance companies operate on a reserve that assumes catastrophic events are bounded, perhaps by region. That's not the case with correlated cyber-risks. This is explained in Section 3.
  • Show us the math (Score:4, Interesting)

    by Dunbal ( 464142 ) * on Sunday August 04, 2013 @06:32AM (#44469149)
    How do these companies arrive at hundreds of million/billion dollars worth of "damages" anyway? Is this using the MPAA/RIAA method of accounting? Do they have to shut down the entire company for a week? Seriously, did absolutely no one make a recent backup of the databases? Do they have to replace all the computer equipment? Are the IT people so expensive? Where does the figure come from?
    • by mysidia ( 191772 )

      How do these companies arrive at hundreds of million/billion dollars worth of "damages" anyway? Is this using the MPAA/RIAA method of accounting?

      100 million customers X $0.30 postage per breach notification + $0.01 paper stock per breach notification = $3.1 million

      Estimated customer turnover (loss of subscribers due to breach): 5%

      Estimated average customer age = 17
      Estimated customer lifespan (age at which they would naturally stop using our product) = 100

    • Where does the figure come from?

      It's the cost of having your obscenely overpriced lawyers shift the blame for managerial incompetence onto some teenager.

    • As someone who's had to do the security audit on a major (make the news) breach I can give some insight. Let's say you got busted a company for hacking their email list so that you could send an angry rant to their CEO. On your way to getting the email list you took a look through their databases and papers just because you could and you were curious. One thing led to another and now your being sent a bill by the judge for 6 or 7 figures and your wondering how the hell they came up with the figure.

      The first

      • by g0rd0 ( 2995987 )
        By this logic ubuntuforums is now worth more than Canonical. Which wouldn't be surprising except their greatest revenue stream is now security breaches.
  • I am leaning more towards snake oil, but it might be a good thing. I have often had doubts about the monetary damages claimed in outages/leaks/data theft. Insurance companies providing other types of insurance don't just pay out claims because you said something was valuable, but want some supporting evidence of the value of the claim. Maybe the companies filing claims against their "cyber insurance" policy will have a hard time justifying it, and we will stop seeing exaggerated claims. The reason I say it
  • by fox171171 ( 1425329 ) on Sunday August 04, 2013 @07:02AM (#44469201)
    Ways out:

    - We took the money and ran, your coverage is void.
    - You failed to adequately protect your network, your coverage is void.
    - You angered nerds, you brought this on yourself, your coverage is void.
    • by Bob_Who ( 926234 )

      We spent all of your money before the close of the bank day.

      So sue us....

      At least we kissed your ass and gave you a doughnut.

  • many cyber insurance policies cover only the cost of re-creating whatever data may have been lost during the breach — not notification costs, legal costs or other related expenses."

    Data loss in a security breach usually and normally refers to the data that was exfiltrated or successfully leaked by an attacker. For example: Data Loss Protection software is designed to detect attempts to send personally identifiable information such as social security numbers over e-mail or upload it out of the

  • Traditional insurance that include life insurance and fire insurance work on a key premise. This premise is that they can get enough different types of clients that can not only distribute the risk, but also decouple the risk.

    Take fire insurance for example. A fire that happens in say Miami, FL is most likely not going to increase the risk of a fire occurring in Seattle, WA. Therefore a fire insurance company can make sure that the clients they select are geographically distributed to distribute the r

  • Anti-virus companies have been found to use scare tactics. And there would have to be such payout conditions that eliminate payouts for faulty IT work that contributed to a breach.

    What we make we can break.... And since breaking would be a real easy thing to do...... I believe its called insurance fraud..... But here its a how easy is it to do and get away with? And then there are losses that cannot be recovered, once exposed to the public.

    And where are the insurance companies going to get the payout money

  • Private insurance companies are not in business to benefit policyholders, but to enrich shareholders and executives. The companies in jeopardy would be wise to form a cooperative to attend their indemnification needs. Call it open sourced insuring.
  • For starters, the 1.25 Billion estimate of Sony's lost is pure bullshit.

    Even the TJX numbers are not likely a realistic representation. If you go back and review their stock price in the time frames which the breach was announced and subsequent news was released, a small hit seemed to occur, but it did not have a long term impact. The sad reality is that their security efforts were a joke, and yes it costs them, but quite likely not more than it would have cost them to have put forth a considerable effort o

  • Most cyber insurance policies require auditable security system in place. They will audit it after the incident and they usually will find reasons not to pay if you have never done external security audit and if CEO thinks that security is IT job.
  • 1. Perform Audit
    2. Mitigate where possible
    3. Insure the rest
  • I will gladly offer them insurance for only $1 million dollars a year, policy is null and void if your network is found to be insufficiently secured, as evidenced by a successful intrusion attempt.

Any sufficiently advanced technology is indistinguishable from a rigged demo.