Sunday, April 24, 2016

Could Insurance Industry Drive Down Cybersecurity Risks as It Does Fire Risks?

"A few weeks ago, Tom Finan — a former Department of Homeland Security official who is now chief strategy officer for Ark Network Security Solutions L.L.C., a Dulles, Virginia-based consultant — appeared before a House Homeland Security Committee subcommittee and noted that cyber insurance could one day promote the same kind of risk management for cyber that fire insurance has provided against fire perils. While at DHS, Mr. Finan headed the agency's cyber insurance initiative."

Thursday, September 25, 2014

NY Financial Regulator Talks Tough On Cybersecurity and Talks Up Cyber Insurance

New York State's superintendent of the Department of Financial Services (DFS), Benjamin Lawsky, is going after cybersecurity in the state's major financial companies. He says cyber insurance can play a role:

"'I worry that we're going to have some major cyber event in the financial system that's going to cause us all to shudder,' said Lawsky, who regulates both banks and insurance companies.

Lawsky noted that, while there's a role for policy makers and legislators to address the issue, the public sector also may be able to prod the private sector to take steps to better handle the risk.

'We need to think about ways to incentivize the market participants to do more to protect themselves from attacks,' Lawsky said.

He noted the rising market for cyber attack insurance, still in its relative infancy. That, in turn, could help companies improve their internal systems to fight such breaches, as those efforts could help them secure policies.

Monday, May 12, 2014

Insurance Companies Struggle to Price Cyberliability Risk

"Insurers have old, tried and true ways to rate the risk of customers for more conventional forms of insurance, like homeowners and professional malpractice, but cybersecurity insurance is both new and increasingly competitive. It creates an uncomfortably risky situation for the insurers themselves. The "data-driven risk management" BitSight is working on, explained by Boyer in a recent webinar, might help insurers to price the risk more accurately, and this will be better for everyone (at least in the big picture)."

Friday, March 28, 2014

Target and Other Cyber Attacks Drive Demand for Cyber Insurance

"With vulnerability to hacking in stark relief, insurance brokers say sales of cyberinsurance have picked up sharply this year. The interest is coming from a diverse mix of customers, including public schools in Ann Arbor, Mich., which in February acquired $1 million in cyberspecific coverage for the first time, from a unit of Zurich Insurance Group AG ZURN.VX -0.37% .

'You hear in the news of all those things happening, and we just wanted to make sure that our employees would be covered in case of a breach,' said Nancy Hoover, a school-district finance official. The district is adopting new human-resources and payroll software and was concerned its potential risk was increasing, she said. The policy's annual premium is $21,400, and it covers the cost of services to monitor credit-card accounts, among other potential expenses."

Tuesday, December 31, 2013

Cyber Extortion Insurance

Cyber extortion is a growing concern among business owners and boards. It should be a consideration in your cybersecurity insurance policy decision.

An example of cyber extortion is using denial of service attacks, see, to shut down the Web sites of a target, then demanding some sort of compensation or action to allow service to return to normal. This can be a devastating attack for e-commerce companies that depend on Web site "up time" and such attacks are also sometimes used as "smokescreens" for related hacks seeking to steal IP, personal information or other digital valuables.

One case during 2013 involved extortionists who launched DDOS attacks against a British online business, then met the managers to "demand a 50 percent share of the firm. If the owner failed to agree to these terms, the men threatened to use the services of a computer hacker to launch DDoS attacks on the casino’s servers..."

Broader Benefits of Cyber Insurance

The Benefits of Cyber-Insurance

Cyber-insurance increases cyber-security by encouraging the adoption of best practices. Insurers will require a level of security as a precondition of coverage, and companies adopting better security practices often receive lower insurance rates. This helps companies to internalize both the benefits of good security and the costs of poor security, which in turn leads to greater investment and improvements in cyber-security.
The security requirements used by cyber-insurers are also helpful. With widespread take-up of insurance, these requirements become de facto standards, while still being quick to update as necessary. Since insurers will be required to pay out cyber-losses, they have a strong interest in greater security, and their
requirements are continually increasing.
As well as directly improving security, cyber-insurance is enormously beneficial in the event of a large-scale security incident. Insurance provides a smooth funding mechanism for recovery from major losses, helping to businesses to return to normal and reducing the need for government assistance.
Finally, insurance allows cyber-security risks to be distributed fairly, with higher premiums for companies whose expected loss from such risks is greater. This avoids potentially dangerous concentration of risk while also preventing free-riding.

Advantages over Governmental Regulation

Cyber-insurance has a number of advantages over governmental regulation as a means for improving cyber-security. First and foremost, government standard-setting is simply not suitable for a rapidly evolving area such as cyber-security. Standards produced by organized bodies are based on compromise, and government involvement in the process stifles innovation further. Closely related to this is the threat of regulatory capture attendant with any system of governmental regulation.
Positive reinforcement is generally the more effective behavior modification technique, as individuals naturally prefer reward to punishment. Fear of legal sanctions can force companies to maintain a set of minimum standards, as cyber-insurance does, but unlike cyber-insurance it does not provide any incentive to do better. Governmental regulation results in an emphasis on meeting basic minimum standards, whereas insurance results in companies striving to adopt – and improve upon – best practices. Finally, because the risk is global, United States regulations alone cannot effectively manage it. However, worldwide regulation is impractical because international organizations move even more slowly than national governments. Widespread use of cyber-insurance will produce better security than a system of governmental regulation and standard-setting.
(Courtesy: White House)

Does My Company Already Have Cyber Insurance?

Do I Already Have Cyber Security Insurance? 

If You Have to Ask, the Answer is Probably "No."

Cyber insurance -- also called cyber security insurance, cyber liability insurance, cyber risk insurance, and data security insurance, among other terms -- is an insurance product used to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies. Coverages provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security audits, post-incident public relations and investigative expenses, and criminal reward funds. (Courtesy: White House)