A few weeks ago (10/10/13) in Info Security Magazine Colin Tankard wrote a piece looking at Cyber Insurance
and some of its pitfalls or potential issues. This prompted one of our Founding Members Tom Whipp from Oval Group
Tom raises important points that go to the heart of cyber risk and shows how business can make insurance work in this specialist market sector. Here is Toms response to the article in full...
I read Colin Tankard’s comment published on the 10th October with interest (“Beware the Nascent Cyber Insurance Market”), and while I would agree that some of the concerns his article raised are legitimate I am unable to agree with the overall position adopted.
Within his article Colin cites many statistics relating to the likelihood of a firm identifying a security breach (a subset of the breaches they actually experience). I personally take it as a fact that over an extended period most organisations will suffer a significant breach, and in a notable percentage of these cases the impact could create genuine business disruption. These statistics are a clear indicator that a prevention only approach to organisational security does not work.
Quite simply, it is not economically viable or technically possible for any organisation to 100% secure themselves. My favourite paper on the subject is “Why Information Security is Hard - An Economic Perspective” written by Ross Anderson of Cambridge University in 2001, every InfoSec professional should read this.
Within the InfoSec profession our role is to reduce the frequency of these breaches and where they occur to minimise the losses – the uncomfortable truth here is that there is an acceptance that there will be losses. Indeed, if you look at physical security solutions they acknowledge that static security controls will be defeated given time; instead physically security designs will focus upon delaying an attacker long enough for a response capability to be activated.
I advocate security strategies that categorise their components into four strands; prevention, detection, response and residual. The first three areas are those that can be controlled in a technical fashion and serve to control the loss experience, the final component is a board matter and consists of a decision to either accept certain risks or to insure them. Increasingly boards are considering insurance in relation to “cyber” risks – this shouldn’t be seen as a criticism of their InfoSec teams, it’s much more a sign of a maturing understanding of the topic at board level. When a board is not explicitly considering residual risk, what that really signals is that they don’t consider the risk to be genuine in the first place.
So, where would insurance sit in a security strategy? The current products on the market are split between the third party claims and first party losses (e.g. lost revenue and the costs arising from dealing with the incident). Whilst the third party cover is driven by contractual obligations and the legal system in the US the first party covers provide the costs in dealing with a disruption to the business and the subsequent loss of revenue to a certain limit. The analogy is very clear, no organisation wants to experience a disaster but they accept that they could experience one and that the impact could be sufficient to destroy the business. Wouldn’t you like your board to view security as something that has business significance?
The natural analogy for these types of insurance is that they are like the airbags in your car; no matter what other technology you have, or how well you drive you may experience a crash. An airbag doesn’t guarantee that you’ll walk away, but it certainly improves your odds.
It is however important to understand that a “cyber” policy is a specialist product and the market for these is still developing. These products should not be confused with some of the extensions added to “computer” policies which really were designed to cover the physical replacement of equipment not the business impact associated with a disruption. Many of the poor experiences reported relate to clients who believed they had cyber cover, when in fact they had a poorly constructed free extension to a product designed to replace server hardware.
Any insurance claim is going to be scrutinised, but it’s important to understand that these products are not sold direct. Provided you work with a broker who has specialist knowledge of the cyber market then they will be able to work with you to avoid those products which have overly onerous warranties and exclusions, and present your risk in the best possible light when broking the initial cover. Your broker will probably also assist you should you ever need to submit a claim.
While I fully understand the suspicion that insurers will seek to avoid paying claims, if they do this in a systemic fashion then the brokers will cease to recommend their products and that is a strong incentive for them to “play fair”. While there has been some publicity about claims which have been refused, I’m aware through conversations with underwriters of a number of high value claims which have been paid without publicity, most organisations remain loathed to admit they have been affected by a security breach and so the lack of public data here should not be surprising.
Colin’s article notes that an insurer may require controls beyond those required by an auditor and flags this as a negative, personally I see this as a positive as it moves the organisation away from a tick box mentality to security. Rigid technical standards such as PCI-DSS have an important place in the security eco-system by encouraging fixed minimum controls; however, there is always a risk that the organisation concerned has gamed the certification through aggressive control of the scope and ignoring side-channel risks. When the objective is to get the certification rather than be secure, then the project will be approached with a narrow cost control mindset.
Risk based standards (e.g. ISO27001) are not perfect and are still subject to scope control, but they are generally more holistic. The proposal forms that I have seen for cyber products could generally be described as a subset of ISO27001 recommended controls with disclosures relating to known breaches in the last few years. Cyber policies are manually underwritten – which means that the price that you’d be charged is based upon a specialist underwriters personal view of the control environment you have this is very different from the algorithmic pricing applied to domestic car insurance.
Getting a quote for cyber insurance does not require you to implement additional controls, but should an underwriter decline to quote on the basis that you are missing control then I’d humbly suggest that this is something that you need to consider as a business issue as there are very few of these red lines, and the ones that exist are there for good reason.
The market in the UK for this type of cover will continue to develop; and I’ve had the pleasure of being involved with Cyber Risk Insurance Forum (CRIF) which includes a number of specialist brokers, leading underwriters, legal firms and technical security companies. This group is seeking to promote and develop the UK approach in this area.
Finally, on a regulatory note I must highlight that while I work for Oval who have a cyber broking specialism (and were a finalist within the 2011 SC Magazine awards) I am not personally a qualified broker. As such all I am authorised to do is provide general information about this topic. Should you wish to investigate how cyber cover could fit within both your security strategy and corporate insurance portfolio then you should speak to your insurance broker.
Tom Whipp MSc MEng CISSP CPP MBCI
Head of Risk, Oval Ltd
17th October 2013