An Anonymous Coward writes:
According to Technology Review, some business leaders have decided that cyber attacks are just another fact of life and they might as well give up on fixing the problem through IT. And buy insurance instead.
Of course, now the insurance companies have the problem of calculating risk and accompanying premiums.
People are starting to view cybersecurity as a business risk instead of an IT problem, says Arvind Parthasarathi, CEO of Cyence, a three-year-old firm that helps insurers model cyber risks. That means recognizing this is not a problem with a clear solution, but a risk that can be managed, though not eliminated. Now, says Parthasarathi, executives are asking, "How much risk am I comfortable keeping?"
Insurers are asking the same question as they try to determine how to price new cybersecurity policies. The modern cyber threat is complex and rapidly evolving. The most pressing challenge is quantifying the risk of a cyber catastrophe hitting many policyholders at once, estimating the maximum loss in the worst-case scenario. That's what insurers failed to do before Hurricane Andrew. [Which caused some insurance companies to fail.]
A cyber disaster comparable in scale with Hurricane Andrew is hard to model in part because one hasn't happened yet. Last October, we got a glimpse of one way such a calamity might unfold when hackers used a network of commandeered webcams, DVRs, and other Internet of things devices to launch a massive denial of service attack on Dyn, a major router of Internet traffic. [...] The cost of the Dyn attack is not yet clear, but a recent four-hour outage of Amazon's S3 cloud storage system (which was not the result of a cyberattack) cost S&P 500 companies at least $150 million, according to an estimate from Cyence. It is not hard to imagine a large-scale attack on a cloud service causing billions in losses.
The article covers other cases including losses from a really major attack.
Your PHB said that your security requests were too expensive. And now he (or his bosses) have decided that it's not even possible to be secure. Time to throw in the towel?
(Score: 2) by Grishnakh on Wednesday April 12 2017, @12:36AM (2 children)
Hopefully, any insurers stupid enough to get into this business will be bankrupted when some company doesn't bother writing secure code and gets hacked.
(Score: 3, Interesting) by bob_super on Wednesday April 12 2017, @12:40AM
I foresee a really bright future for forensic guys paid by insurers to prove that inappropriate measures were taken, and therefore, according to fine print that the PHB can't understand, claims should be denied...
(Score: 3, Interesting) by Snotnose on Wednesday April 12 2017, @01:37AM
Yeah, the only way I see insurers to come out ahead here is to form a team of security professionals that can evaluate each client's security. Thoroughly. Updated every few months. That's gonna cost some big bux on top of the assumed risk.
These teams will soon learn the biggest risk is from various TLAs, and learn how to mitigate the damage the TLAs tools can cause. At which point they realize they can make 10x the money by going rogue and using those tools.
If I was an insurance company I wouldn't go near insuring against cyber-attacks. When the government is the biggest risk you face, you're gonna lose.
When the dust settled America realized it was saved by a porn star.