If NIST came up with a new standard for cybersecurity, would your organization be insurable for cyber risks when measured against that standard? This was a leading topic of discussion in Dallas last week at the latest in a series of workshops attempting to fine tune the proposed NIST cybersecurity framework (we have discussed previous CSF meetings on We Live Security here and also here, plus a podcast here).
Cyber insurance was the topic of a panel moderated by Tom Finan of DHS and including Peter Foster, an insurance broker with the Willis Group, Mark Camillo of AIG, Toby Merrill of ACE USA, and Laurie Schwarz of Lockton. Here is how DHS regards cybersecurity insurance:
Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion. The Department of Commerce has described cybersecurity insurance as an “effective, market-driven way of increasing cybersecurity” because it may help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection; and limiting the level of losses that companies face following a cyber attack.
Of course, NIST is a standards agency, not an insurance or enforcement agency. But NIST is within Commerce, and it does purport to provide standards which are widely accepted across an industry by, for example, insurance companies who are looking for some way to measure whether your business stacks up to the “gold standard” and charge you premiums accordingly. At the moment, many companies should be able to qualify for policies (according to at least one panelist), but insurance companies seem keenly interested in certain key indicators, like whether your corporate culture is proactive or reactive with respect to emerging security issues. Do you stay on top of change, or take a more passive stand-back-and-watch approach when it comes to security? The answers to these questions could factor into the rates you pay for cyber insurance (here's an example of such insurance, offered by AIG, and by ACE USA).
When insurance companies interview you for a cybersecurity policy, you'll want to convince them that you have a very firm grasp on where you are now, where you're going next, and how you plan to prove all that. In general you’ll want to show that you've given your security posture some significant thought.
One panelist likes to ask prospective clients about their recent loss experiences. If they say they've had none, he winces suspiciously and digs deeper, probing how they know whether or not they have been breached, or whether they have a process in place to know at all.
But what exactly will be covered by cyber insurance? That is still less clear. For example, if there is a massive widespread event, say a cyber Katrina-style digital hurricane that wipes out a whole swath of technology services, who pays, for what, to whom, and under what circumstances? This is the capacity question, and just one of the questions DHS dove into regarding cybersecurity insurance here.
And then there are the stock markets. Companies who insure financial transaction folks insure very, very large numbers of transactions. Think many trillions in not very many days. A mass digital train wreck in their world would certainly be uncomfortably scary (for them and us), and make the claims departments cringe.
Oh, and if there is a digital Katrina, you won't see it coming on TV, preceded by pummeling downpours approaching landfall for half a day (or more), it will happen in seconds (maybe microseconds) with little warning, as in the recent ATM heists, where million-dollar-loss-hours may be the norm.
So what's the maximum total impact insurance companies can be reasonably expected to handle? That's a question the panel pondered. One panelist opined they could handle a $350 million dollar event, but probably not 10 of those at the same time. But insurance folks aren't just sitting on their haunches. Insurance calculations are based on the size and type of data available, and there's simply not enough yet to make all the actuarial calculations work, but they’re slowing getting there.
While the cyber insurance industry is in its infancy, breach victims don't seem anxious to trot out every last detail of every breach to bolster actuarial tables, as a full dump of all the details may serve as unintended alarmist warnings to customers and users who want assurances that their data is protected. This is especially true when the competitor down the road doesn't reveal details, thereby possibly courting favor in the marketplace, since they “appear” to be more safe. Would you trot out your organization's details for all to see to make actuaries happy?
And what do you get for your coverage? One panelist highlighted seven different categories of “cybersecurity insurance”, ranging from physical loss, to reputation insurance, and a bevy of others. If your policy responds to a loss by sending you a stack of new servers, that may do little to assuage the total blow to your public image. And that's the point: you really need comprehensive coverage, and may not even know how to assess what you need. And neither may your agent. Again, you’re not alone, as Insurance Journal points out here.
Whatever happens, NIST's cybersecurity framework hopes to aid in the continuing discussions about insurability (and a host of other things) that will potentially affect those providing what can increasingly be considered critical parts of our national core infrastructure.