Exploring the economic realities of cybersecurity insurance | Salted Hash Ep 43

September 16, 2019 posted by


welcome back to salted hash I’m Julia
Beauchamp I’m here with JME pora and today we are going to be discussing
cybersecurity insurance visit episode of salted hash is
sponsored by barcode the company’s latest state of software security report
finds software security is still a challenge at organizations around the
world find out why fix rates for application
vulnerabilities are still lagging and what CIS OS can do to improve their
software risk posture in barcodes new podcast series which can be found at the
address below so JM cyber security insurance pretty hot topic as of late I
mean it seems like there’s so many ways that you can protect yourself against a
hack but in case that hack happens cyber security insurance is really important
yeah cyber security insurance is a still growing part of the security landscape
and on the one hand it has the potential to provide financial incentives to
enterprises to to improve their security game across the board and for
enterprises transferring some risk is is usually
seen as a good risk management move the other side the the downside of cyber
security insurance is that it is still early days yet and there’s a little bit
of growing pains in the industry and some concerns that cyber security
insurance as it’s currently being bought and sold is creating maybe perverse
incentives to not always do the right thing yeah there is definitely that
debate within the security community about whether cyber insurance will
actually incentivize these good security practices can you go into a little bit
more depth about why you know not everyone’s sure that having cyber
security insurance will actually make businesses want to do good
sure well so there’s I mean insurances is centuries old from the days
of sale and the the concept of insurance is a well developed sort of you know
business strategy it’s in no way new and one of the key components that all
insurance companies grapple with is the so-called
moral hazard of insurance the idea that if you transfer too much risk or all the
risk then that creates perverse incentives that result in in bad
outcomes for instance if I have fire insurance on my house and I you know I
don’t install fire alarms and I negligently you know leave candles all
over my house and my house burns down because I engaged in gross negligence
you know an insurance company is going to say well you know we offered fire
insurance but you burned your house down it’s not we’re not going to pay out if
you burn your house down or if you engage in gross negligence that results
in your house burning down this is why we have deductibles and also capped
payouts on most insurance plans the idea that you can transfer some of the risk
but you have to assume some of the risk yourself that it’s a shared risk between
the insured and the insurance company and when we talk about cybersecurity
insurance the question is is it cheaper if you’re a purely profit motivated CEO
it would be economically reasonable to say is it cheaper to pay a small amount
of money for an insurance policy and not spend money doing the right thing
to secure my enterprise on the expectation that an insurance payout
would then economically compensate you when a breach happens and the cost of of
an insurance policy is often substantially cheaper than doing due
diligence and there is this coming clash between insurer
enterprises who are looking for a cheap way out of doing the hard work in
security and insurance companies saying you know you can transfer some of the
risk but you still have to actually do the hard work of doing good security
absolutely and I mean to me it would almost seem intuitive that a business
would want to practice good security because obviously there would be a
monetary loss but not to even to mention the loss to your reputation the
business’s reputation the CEOs represent reputation and on top of that it just
seems like the right thing to do is that just too optimistic to think that
businesses are just you know they want to secure their enterprise because it’s
the right thing to do you know call me a professional cynic if we look at similar
cases such as if we look at the developments of environmental protection
laws the 1960s perhaps it is economically profitable to dump toxic
waste into fresh water causing cancer for large portions of the population
than it is to actually properly dispose of your toxic waste and many companies
in the 60s deliberately did so and so the government stepped in and said you
know it is not in the public interest for for-profit companies to be dumping
toxic waste into fresh water like this is bad for society this is bad for
everybody it may be profitable it may be economically good for the
corporation but as a society we cannot tolerate this kind of corporate conduct
and I feel like we may be in a similar situation today if we look at the
Equifax breach you know Equifax suffered a major breach
I’ve had numerous security experts call it gross negligence like in their
opinion Equifax full-on committed gross negligence they got breached pretty much
every adult in the United States was economically harmed as a result Equifax
is security insurance paid out on the order of like a hundred million
their share price rebounded in a couple of months their CEO quit with a golden
parachute there’s been no real regulatory punishment there’s been no
market punishment and a big part of this is beyond the failure of the government
to regulate in the public interest there’s also the fact that in many of
these specifically breaches the the customer is not you and I
Equifax is customer is it you and me it’s the people who give Equifax money
it’s it’s the banks it’s the people who want to see your credit score and my
credit score and as far as those customers are concerned they are not
harmed by disclosure of our personal information and so you have this sort of
grave social harm with very misguided economic and regulatory incentives
producing bad outcomes for society as a whole and it’s the people I’ve spoken to
are comfortable saying some combination of better regulation and insurance based
financial incentives is probably the right way to get where we want to be
which is where companies do the right thing not only for their bottom line but
for the good of society as a whole yeah absolutely so what kind of requirements
do cyber insurance policies place on companies to minimize the risk of losses
from these attacks you know I mean Equifax got like you said millions and
millions of dollars and eventually correct me if I’m wrong turned you know
posted a profit because of these payouts how do other cyber insurance policies
minimize that risk of having to pay out so much and you know going broke that’s
a great question so let’s take a common-sense example that I think
everybody can understand which is car insurance if if you buy a red Ferrari
you’re going to be paying a lot more in insurance because the kind of person who
buys a small red expensive sports car is more likely
actually speaking to be involved in some kind of accident than someone who buys
like a ten year old Volvo you know this is a sort of risk profile that like we
can all kind of understand and insurance companies will reward good drivers like
if you don’t have a ticket or any kind of driving violation for ten years your
car insurance is going to be lower where is it like every time you get a speeding
violation your insurance is going to go up because you are now perceived as
being a higher risk driver to insure so insurance who engage in reckless conduct
pay more for insurance because they’re more likely to require insurance payout
and people who are more cautious and do their due diligence and drive safely pay
less for insurance and I think that I think pretty much everyone in the
cybersecurity insurance business would like to see us live in that kind of
world that companies that do their due diligence in terms of security are in
fact financially rewarded with lower premiums I think if you asked anyone in
cybersecurity insurance to there they be like you know that’s the world we want
to live in we want to offer low premiums to secure companies and high premiums to
insecure companies like that’s insurance 101 but the problem is is that that’s
not yet the world where we are today historically cybersecurity insurance was
sell the policy now and worry about any fallout later just to grow the market
because this is brand new 15 years ago this fiber security insurance basically
didn’t exist so insurance companies are really about gathering enough
information to have sufficient data to perform solid actuarial science to be
able to even understand I mean it this is not an easy problem if you’re an
insurance company how do you say this company is a good red
and this company is a bad risk that is not a fully solved problem historically
as the insurance companies have worked on questionnaires they would send you a
five page questionnaire and they act they’d ask really basic questions like
what sector are you in do you use encryption what kind of technology do
you deploy and this very crude rudimentary calculus would arrive at at
almost throwing a dart at a you know a bull’s eye kind of score and today we’re
seeing a move to more quantitative measurement in terms of many insurance
companies will scan the entire ipv4 address range and then every week and
then sort of map the external facing security posture of both insureds and
potential insurers as a way to bring a less qualitative approach to measuring
risk but even still it remains more art than science and that is a problem going
forward yeah absolutely it doesn’t seem like there’s clear outlines for the
companies that write these policies to follow so what are you mentioned those
sort of rudimentary basics of security encryption what are some other steps
that companies could take to secure their enterprise – in a perfect
insurance market have those lower premiums and be you know a good risk to
take for an insurance company well I mean this point you know in an
enterprise should be talking to their insurance broker or or to the insurance
company themselves and it really needs to be emphasized that these kind of
policies everything is negotiable that’s a key takeaway for viewers today if you
are an enterprise looking to to sign or to negotiate a new cybersecurity
insurance policy understand that everything is negotiable literally
everything if there are specific things you want or need then you need to tell
your insurance broker and you need to be very careful of of exclusions if you are
not care with exclusions you can find yourself
without an insurance payout when you really need one mm-hmm
and how do insurance companies ensure that the requirements that are outlined
in their policies are met I mean I know for car insurance for example there’s
some companies the car insurance companies that will give you a device to
put in your car to you know make sure you’re not speeding 215 miles per hour
over the speed limit and that’s an obvious clear way to regulate that
safety is being met how for something like cybersecurity can these insurance
companies regulate that their enterprises are taking necessary steps
to be secure that’s a great question most of them aren’t that requires
visibility into the internal network of of an enterprise and I’ve spoken to
people who work in the cybersecurity insurance business and and what they
want is internal visibility into actual in-house security practices but
basically at this point almost no insurance companies have that kind of
visibility the best they can do is analyze external facing security posture
because that’s visible for the for all the world to see including both
insurance companies and potential attackers but convincing enterprises to
offer internal visibility into the potentially quite intimate details of
how their security is configured is to the best of my knowledge not yet a
reality although I expect insurance companies to begin pushing harder for
that kind of visibility to do just as you say you know how can we verify
you’re actually doing the right thing yeah and that that would be really
interesting to understand how having that sort of visibility into a company’s
security how that in of itself poses another security risk is does having too
many you know hands in make everything less secure that’s a question for you I
don’t what do you think oh no I mean and it’s
a valid question how do you offer an internal of view of an enterprise
without exposing that to a potential attacker mm-hmm
which also brings us to the question of there’s what’s called a cat risk
catastrophic risk if you’re if you’re an insurance company you don’t want to be
at risk of the same risks as your insured if you are an a an earthquake
insurance company you’re not gonna put your headquarters in the San Francisco
Bay Area if you if you know if you’re insuring against hurricanes you’re not
going to put your headquarters in Orlando or Miami you know it is it’s
important for insurance company to not itself be exposed to the same
potentially catastrophic risks as the companies they propose to insure but the
problem is is that on the internet everything is connected
yeah and insurance companies simply by being on the Internet are equally
exposed to the same kinds of systemic catastrophic risk as the insured
enterprises that they insure and that is a definitely an unsolved problem so far
because this is cyber insurance is relatively new when do you think it
really started to become commonplace for companies to take out cyber insurance
policies or is it not even commonplace so historically this has been a
originally a us focused thing it began with a California data breach law about
15 years ago the exact year escapes me and it’s slowly increasing in popularity
in Europe the gdpr has seen a big rush of companies looking to get insurance as
well and the focus until recently has been about breach insurance because of
the breach notification laws in California and elsewhere that’s
beginning to change breach insurance is possibly and in my personal opinion one
of the least useful or interesting forms of
because of the the massive third-party harms for again the Equifax example the
you and I are the ones who are harmed but we have no economic impact on
Equifax is one of their customers whereas things like business continuity
insurance like Lloyd’s of London did a huge report earlier this year
called cloud down saying you know what happens if a ws goes down some insane
majority of you know the American economy is based on Amazon Web Services
but if Amazon Cloud went down for 12 hours 24 hours 36 hours we’re talking
billions of dollars of harm to the economy and that’s a more again personal
opinion that seems to me a more realistic kind of insurance where we’re
not talking about third party harms but actual direct harms to the company being
insured itself so that that sort of evolution of cyber insurance from just
breach insurance to other kinds of cyber related insurance will continue to
evolve and grow I predict so there aren’t a ton of companies that are
necessarily taking out these more they’re not a being as proactive are
they sort of looking towards you know worst-case scenario with a data breach
or are they being more secure with these more proactive policies well let’s take
the example in to contrast the example of Equifax let’s take the example of
Maersk the giant Danish shipping line that was severely harmed by not petya
now that was not a data breach Maersk does not have ordinary consumers as
customers you know they they own boats and the boats move things around the
world on oceans right you know their customers are all major corporations and
not petia shut down their ocean-going vessels shut down their head office for
like weeks or months causing hundreds of mill
and dollars of damage disrupting their business and disrupting the business of
their customers and I think that’s the kind of of risk that should be more and
more on enterprises Minds it’s not just about dealing with compliance issues and
assuring against data breaches but it’s going to be more and more about ensuring
business continuity and the consequences of these kinds of disruptive attacks I
don’t think not petia is going to be the last kind of sabotage focused malware
we’re ever going to see it seems like the beginning of a trend not a one-off
incidents absolutely and if we could dive in a little bit to the not petty
attack this is as you said sort of what you believe is going to be indicative of
a larger trend and the issue with that cyber insurance situation was that the
insurer is pretty much refusing to pay out for these damages correct yeah so at
the time of this shooting the the filming this episode there was a news
that a major Swiss snack food company which owns Oreo and Nabisco and a bunch
of other major brands you surely heard of was was also severely harmed and had
their business disrupted by the not petia
sabotage we’re attack and made a claim of a hundred million dollars to their
insurance company and this goes back to what we’re talking about before about
exclusions because one of the fundamental principles of insurance from
the very beginning is that war is not insurable there is no way to insure
against war the insurance companies of always on principle refused to insure
that because there’s that there’s no way to do that economically speaking
terrorism and piracy are insurable his both historically and in the present
tense but war as such is not and the in the insurance policy this company had I
I forget the name of the company huh please help me out they had a war
exclusion in their contract in their insurance policy that specifically
excluded incidents caused by nation-state attackers that were a
hostile or warlike action I believe was the it was the exact language and you
know not Petya was not ransomware it was not racketeering it was outright
destructive sabotage where with no intention of seeking a ransom and every
indication that we we know of suggests that not Petya was created and deployed
by the Government of Russia initially to attack easy the Ukraine but but it then
indiscriminately spread elsewhere and it was designed to do so to cause chaos and
so the insurance company is saying well this is a hostile or warlike attack by a
nation-state actor and a common sense view of the not petty attack confirms
that assessments and naturally the insured is suing their insurance company
saying you know one hundred million dollars is a lot of money we’re going to
take that one to court and see what happens but it really should be raising
a red flag for enterprises looking for cyber insurance everything is negotiable
if you want your company insured against the next not Petya attack you need to
review your insurance policy for these kinds of exclusions and negotiate that
with your insurance company or if there is another not Petya like attack you may
be hung out to dry with no recourse in the courts absolutely this really if
this is going to be indicative of a trend it would make sense for
enterprises to reassess their policies and make sure that they’re protected and
they don’t have these sorts of exclusions are there any other sorts of
exclusions that are commonplace in in cyber insurance policies or besides just
warlike attacks or is that’s really the main exclusion well one thing on a lot
of people’s minds is sort of you can call it terrorism you can call it the
gray area between criminal hacking and an actual warlike action as as one
source told me you know look insurance as we consider today comes out of the
days of sale when ships went down and you insured your ship coming back home
to harbor with you know the spices from you know the Far East or whatever and
piracy was a serious issue for hundreds of years so you were insuring not just
against you know a massive storm sinks your ship with All Hands but also you
were insuring against piracy and while war as a first principle is never
insurable piracy and non nation-state warlike attacks generally are considered
negotiable II insurable because a pirate or a a terrorist or however it whatever
word you want to use to label that kind of activity doesn’t have the resources
of an actual government and it is therefore considered less of a threat
and at a certain scale here we’re also talking about government backed
insurance programs both the UK and the US government for instance offer so you
have insurance companies and then you have reinsurance companies because
insurance companies themselves have insurance and then the reinsurer sort of
ensures the other insurance companies and for certain kinds of insurance the
government itself with taxpayers money will reinsure reinsures insuring certain
against truly catastrophic events for instance here in Manhattan after 9/11 a
whole bunch of insurance companies were like whoa we’re not going to insure tall
buildings in Manhattan anymore like that is not a financially viable thing for us
to do if there’s another 9/11 that’s just going to destroy our business we
can’t do that and the US government was like hang on a second like we need to
have financial insurance for big companies on Wall Street with very tall
buildings so what the US government does and what the UK government has also been
doing since the conflict with the IRA during the Troubles is to say we will re
insure insurance companies insuring against terrorism I think as of 2019 the
u.s. policy backstop is 200 billion dollars that’s with a V so in order to
make make it possible to insure against piracy terrorism whatever words you like
to use governments are stepping in and saying you know we need to insure
against these and we will make sure in the interests of society and the economy
and stability of the government that certain of these risks are covered to a
certain extent okay I understand so even though there is this war like it exclude
a war like exclusion does not necessarily relate to terrorism or
piracy I understand what you’re what you’re saying like if you had a I don’t
know I don’t know why but let’s say you had some sort of non-governmental group
of hackers who decided they wanted to destroy something because I guess I
don’t know why then then that would potentially if it were clearly
attributed be covered under a sort of a terrorism insurance policy whereas if
the government of Russia or the government of North Korea or
what-have-you says we’re going to hack something and blow it up because I guess
we want to then that would be an act of war or a even though war wasn’t the Clay
it would still be like you know this is a warlike action even though war hasn’t
been declared and therefore not covered so it gets pretty tricky and if you’re
ensuring it you know for hundreds of millions of dollars again you know have
your general counsel talk to your insurance company and talk about those
exclusions understood so the enterprise when they’re looking at their exclusions
and maybe reassessing their policies they should really just be paying
attention to these warlike explosions you know if you’re wanting to claim a
hundred million dollars from your insurance company from them from not pet
yeah you better be sure that your insurance policy is gonna cover that
okay got it so really just so wrapping up here JM
there’s obviously some there’s such a wide range of policies in such a wide
range of enterprises that are taking steps to secure their companies and
others that perhaps are looking just for a payout so what would it take for cyber
insurance to become a consistent and effective means of incentivizing good
practice that is the billion dollar question that on everybody’s mind almost
litter off no no absolutely because you know you want to care it and you want to
stick you want the government regulating to say you know you can’t do bad things
we’re going to find you if you do but you also want to have financial
incentives to drive innovation because regulation does not really drive
innovation unless you use the regulation to create a new market on which new
companies can compete so you want the stick you want the regulation saying you
know you have to use best practices you can’t commit gross negligence but you
also want to have insurance companies saying you know you can save a lot of
money if you do the right thing it’s that combination of carrot and stick
that’s really going to compel enterprises to do the right thing
because the right thing is not necessarily the same as what is good for
their bottom line you can and creating a more
market where it is good there for their bottom line makes it easier for profit
driven CEOs to make the right decision and to do the right thing how optimistic
are you just anecdotally that you think looking at what has happened in the past
that this is that good business practice will happen I think it’s not gonna
happen all right thank you so much Jaya thank you all so much for tuning in to
this episode of salted hash with JM pour up all about cyber insurance see you
next time

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *