Академический Документы
Профессиональный Документы
Культура Документы
FIN 4334.001
The Growing Issues with Cyber Insurance
As computing technology and hacking skillsets develop, there are more
cyber-attacks on businesses every year. Lloyds, a British insurance company,
states that cyber-attacks cost businesses over $400 billion dollars a year in
damages, and has increased every year. Last year, insurance companies
collected around $2.5 billion dollars in premiums, $500 million more than the
previous year and $2 billion more than 2013. There is a growing need for
coverage following disastrous cyber-attacks; companies need assistance with
defending lawsuits, awarding judgments/settlements, and costs of
indemnifying those affected by the breaches. There are three issues facing
cyber insurance currently: risk pricing challenges, information asymmetry,
and closing the gap between cyber security and cyber insurance
Cyber insurance providers are relying on very narrow policy terms and
conditions, along with conservative pricing, to limit their risk exposure.
However, clients are beginning to question the value of their policies. Clients
are concerned with the ever increasing depth of cyber-attacks, and if they
are covered from future elaborate attacks not specifically mentioned in their
policies. There is a significant risk pricing challenge presented to the
industry. Cyber-attacks are not like other risks. The scale for damages is
potentially enormous, there is little public data available, and the attacks
between information from the insurer and the insured. Cyber insurance
companies do not often know information regarding insured systems
applications, their software products installed, and their IT departments
security habits all of which are fundamental to determine risk. There is
currently no legislation requiring cyber insurance companies to publish their
data, creating a potential monopolistic industry where the better informed
insurer has the majority of market share. Currently, there are five
underwriting entities for all cyber insurers.
Ranjan Pal, from the University of Southern California, has created a
model in which cyber insurance companies can assist their underwriters in
creating appropriate premiums. The mechanism to help alleviate information
asymmetry, using various scenarios targeting risk adverse companies with
little to no information on the insured. The model does make the assumption
that it is mandatory for users to purchase cyber insurance. For Pals model to
work, insured must have proper self-defense mechanisms (such as
antivirus software) which is required by all cyber insurance policies. Finally,
the model gauges risk based off of a companys wealth/assets and
recommends pricing premiums appropriately. Pals model has been used by
the National Associated of Insurance Commissioners (NAIC) for developing a
more rigorous structure for underwriters to use.
Finally, there is a large disconnect between cyber security firms such
as Norton Antivirus, Mcaffe, etc. and the cyber insurers. Insurers assess
financial losses from attacks and focus on risk management. Cyber security
firms often ignore the issues facing cyber insurers, and must take their
positions into consideration. Cyber security firms need to learn how to draw
necessary boundaries, explain the scope of attacks/breaches, and assist in
the damage calculation assessments. Security firms often understate attacks
on companies defended by their software, or underestimate damage done
publicly. For cyber insurers to operate functionally, there must be a clear and
honest dialogue between the two industries so premiums can be priced
appropriately, and for cyber insurers to know how to best write policies.
When cyber security firms struggle to properly assess damages from
breaches, companies may question whether cyber insurance is even worth it.
InfoSec states that there are several cyber insurance considerations
that must be met by cyber security firms, governmental bodies, and the
insured to provide proper coverage and risk assessment. First, there has to
be clear and concise definition of terms such as hacker, attack, and
incident in terms of cyber insurance. As of 2015, there are no standardized
definitions to these terms and thus increase cyber insurers liability.
Secondly, the insured must be very clear in which what exact coverage their
specific company requires. Coverage definition for cyber-attacks starts with
company audits for the valuation of data and estimates of aggregate costs of
attacks. Finally, insured must make sure their policies cover all aspects of a
breach. Currently, there are three stages of a breach that will be covered by
cyber insurance: discovery, investigation/remediation, and court costs.
Citations
PricewaterhouseCoopers. "The Promise and Pitfalls of Cyber Insurance." The Promise and
Pitfalls of Cyber Insurance (2016): n. pag. PricewaterhouseCoopers, Jan. 2016. Web. Nov. 2016.
Filkins, Barbara. "Quantifying Risk: Closing the Chasm between Cybersecurity and Cyber
Insurance." Www.sans.org. PivotPoint Risk Analytics, Mar. 2016. Web. Nov. 2016.
Pal, Ranjan. "One Government's Approach to Cyber Security Policy." Cyber Security Policy
Guidebook Bayuk/Cyber Security Policy (2012): 211-37. University of Southern California, May 2012.
Web. Nov. 2016.
Iwata, Edward. "Challenges and Opportunities Ahead for Cyber Insurance Industry - Third
Certainty." Third Certainty. N.p., 28 Mar. 2016. Web. 28 Nov. 2016.