+Comment The UK government last week partnered with 12 insurance companies to develop the "cyber-insurance" market. But experts are split on whether encouraging the development of the nascent market will result in the adoption of improved security practices.
Cabinet Office Minister Francis Maude said that while cyber insurance adds an extra layer of protection for organisations it needed be used in combination with good cyber-security practices more generally in order to get the best results.
The government is promoting the growth of the cyber insurance market as a means of improving cyber security risk management. It says the insurance sector can improve good practice by asking the right questions of customers in relation to their cyber breach and operational risk policies.
In your correspondent's opinion, arguing that boosting spending on breach insurance protection improves cyber security is akin to saying that growing the car insurance market will improve road safety.
This is perhaps an imperfect analogy, though - perhaps the deal will marry compliance with insurance as a business-focused answer to manage security risk.
Maude, lead minister in the UK's Cyber Security Strategy programme, co-hosted a summit of 12 CEOs from the UK’s insurance sector together with Marsh, the insurance broker and risk adviser, to discuss how the sector can help support the broader strategy of making the UK among the best places in the world to do e-commerce. There's also the potential that hacker breach insurance might improve the UK's balance-of-payments deficit.
The UK insurance sector is a global leader and a "natural home for a growing international cyber insurance market", according to UK government officials.
The government want to use insurance as a driver for improving cyber security practice in UK businesses – SMEs in particular. A working group has been set up to access the development of the cyber insurance market and report back to the Cabinet Office in April 2015, weeks before the next UK general election.
"Protecting the cyber security of UK businesses is an important part of this government’s long-term economic plan - we want the UK to be one of the most secure places in the world to do business," Maude said a statement. "Cyber insurance does not replace the need for good cyber security practice but is an added protection for businesses in the event of breaches," he added.
Mark Weil, chief exec of Marsh UK & Ireland, said: "As recent network attacks and data breaches have demonstrated, cyber security events can quickly accumulate significant costs, inflict reputational damage, and undermine investor confidence. A massive data breach will invite litigation, generate regulatory fines, and instigate law enforcement investigations.
"Companies should be assessing their vulnerability to cyber attack and taking advantage of risk management and insurance solutions to mitigate the potential for these events to harm their business," he added.
Brian Honan, an infosec consultant who founded and heads up the Republic of Ireland's Computer Security Incident Response Team, said insurance firms are experts in risk management and therefore bring in an expertise that is sometimes missing in the field of information security.
"While insurance will not directly prevent you from suffering a security breach, it will help focus management attention to the need to invest in better cyber security," Honan told l Reg. "One of the key weaknesses and immature areas we have in cyber security is the lack of accurate metrics on security breaches and disciplined risk management. Insurance companies are masters in risk management and have been for a long time, this is a discipline they will bring to bear on our industry."
So... HOW MUCH is it going to cost?
Working out suitable premiums when breach loss figures are often guesstimates is among the biggest challenges insurance against security breach providers will face.
Security consultant Rodrigo Bijou wondered: "How can an actuary estimate incident response times [and] costs associated when disclosure is a complete shitshow?"
Bijou added that one the biggest problems in this area is that everyone acknowledges that breaches often result in the leak of intellectual property but nobody knows how great a financial loss this represents.
Max Perkins, an underwriter at insurance firm Beazley’s technology, media and business services team, explained the insurance industry is the process of developing pricing models for the nascent industry. "Cyber insurance pricing was initially driven by market influences such as cost of capacity, supply, and demand," Perkins told El Reg. "As breaches occur, insurers are able to analyse the data points to build more robust models."
Other interested observers, such as representatives of training and certification body ISC(2), argued practices from other areas of insurance could be applied to setting premium for breach insurance.
How can an actuary estimate incident response times [and] costs associated when disclosure is a complete shitshow?
"Start high, track payouts and adjust? How do they insure other high impact/low likelihood events? Eg.Natural disasters"
One, er, illuminating historical analogy for breach insurance could be fire insurance, and its role in developing and fostering adoption of building codes. The cyber insurance market could help foster widespread adoption of sound risk management practices across the industry in a similar way that fire insurance helped drive adherence to safer building codes and fire prevention practices.
Loss assessment is an issue for the development of cyber insurance but not perhaps an insurmountable one, according to Honan.
"In order to calculate risk and premiums the insurance companies will also need good statistics on security breaches, their costs to the businesses, and the root causes of those breaches, Honan told l Reg. Again, this is information that is not widely shared in the industry but by engaging with insurance companies businesses will have to disclose this information which in turn should enable us to identify trends and issues regarding security that companies need to address," Honan concluded.
Ross Brewer, vice president and managing director for international markets at security tools firm LogRhythm, said the collaboration between the financial services sector and the government to promote cyber security insurance made sense since it will not only "raise awareness of the issue, but also ensure damage is limited."
“While cyber insurance has been around for a while, the market has been relatively slow to take off," Brewer explained. "However, as cyber criminals become more sophisticated and we realise the inevitability of attack, it makes sense that businesses would want to have the greatest level of protection as the aftermath of a serious breach could be akin to a large-scale burglary. For insurers it’s not surprising they would want to capitalise on this modern risk facing UK businesses, and working with the government only provides a greater opportunity to get the word out there."
However some security experts expressed concerns that an insurance safety net might engender complacency among some companies.
Rather than boosting cyber security, hack insurance protection could have the opposite effect, promoting a: "We're insured, don't worry about securing that" scenario, security consultant Paul Moore warned.
Honan echoed this point: "My concern though would be many companies may take the option to invest in a cyber security policy with the view that any costs incurred from a security breach would be covered rather than investing properly in securing their systems to prevent breaches occurring in the first place.