Every time I think I’m making progress on controlling my cynical gene, I see something that sets me back almost to square one. I’ve been in this game for a long time, and although I think subconsciously I know some things are going on, it’s still a bit shocking to see them in print.
What set me off this time is Richard Bejtlich’s brief thoughts on the WEIS 2010 (Workshop on the Economics of Information Security) conference. His first thoughts are around a presentation on cyber insurance. The presenter admitted that the industry has no expected loss data and no financial impact data. Really? They actually admitted that. But it gets better.
Your next question must be, “So how do they price the policies?” It certainly was mine. Yes! They have an answer for that: Price the policies high and see what happens. WHAT? Does Dr. Evil head their policy pricing committee? I can’t say I’m a big fan of insurance companies, and this is the reason why. They are basically making it up. Pulling the premiums out of their butts. Literally. And they would never err favor of folks buying the policies, so you see high prices.
Clearly this is a chicken & egg situation. They don’t have data because no one shares it. So they write some policies to start collecting data, but they price the policies probably too high for most companies to actually buy. So they still have no data. And those looking for insurance don’t really have any options.
I guess I need to ask why folks are looking for cyber-insurance anyway? I can see the idea of trying to get someone else to pay for disclosure – those are hard costs. Maybe you can throw clean-up into that, but how could you determine what is clean-up required from a specific attack, and what is just crappy security already in place? It’s not like you are insuring Sam Bradford’s shoulder here, so you aren’t going to get a policy to reimburse for brand damage.
Back when I worked for TruSecure, the company had an “insurance” policy guaranteeing something in the event of a breach on a client certified using the company’s Risk Management Methodology. At some point the policy expired, and when trying to renew it, we ran across the same crap. We didn’t know how to model loss data – there was none because the process was perfect. LOL! And they didn’t either. So the quote came back off the charts. Then we had to discontinue the program because we couldn’t underwrite the risk.
Seems almost 7 years later, we’re still in the same place. Actually we’re in a worse place because the folks writing these policies are now aggressively working the system to prevent payouts (see Colorado Casualty/University of Utah) when a breach occurs.
I guess from my perspective cyber-insurance is a waste of time. But I could be missing something, so I’ll open it up to you folks – you’re collectively a lot smarter than me. Do you buy cyber-insurance? For what? Have you been able to collect on any claims? Is the policy just to make your board happy? To cover your ass and shuffle blame to the insurance company? Do tell. Please!
Photo credit: “Dr Evil 700 Billion” originally uploaded by Radio_jct
Reader interactions
6 Replies to “Pricing Cyber-Policies”
@Mike
I’m kinda surprised no one has mentioned this possibility: that the companies that would shop for this kind of insurance have done the analysis internally on their costs of breaches and data loss… and, ignoring any “immoral” behaviour on their part, they have determined their costs to be less that the current asking price of such insurance.
So… that begs the question: just how many companies are voluntarily buying this type of insurance? (you must exclude those legally required for this question)
One should be able to infer a relative cost/value of this type of insurance from from how many companies purchase it.
@chris,
This is exactly the kind of discussion I was hoping for. Thanks for that. Clearly the real issue is when to transfer that risk, at what price and with what assurances that the risk is actually transferred (given the insurer can seemingly decide they are not liable – see Colorado Casualty).
But we all have to keep in mind that just because you are insured (maybe) doesn’t mean you don’t need to pay attention and continue to try to prevent attacks and react faster to the ones that happen.
Mike.
There is margin in mystery
I agree that Cyber Insurance is not working at the moment, and it will take a significant amount of time until this will be a viable option to cover loss in this area.
Working for a big company, I noticed that even internally a loss calculation is impossible. I’m only talking about loss calculation for simple things as a lost computer or smart phone. Going to a bigger scale, loss calculation for an outage of a critical applications is even more difficult.
So as long as you can’t calculate internally, no insurer will be able to make a proper calculation and put a price tag to the risk. I heard from a big insurer that it took them over twenty years to build a proper database for premium calculation for producing companies (eg. car builder or food producer).
Without data on loss and impact, how does Chubb know that they have priced it high? Someone needs to be fired.