from the I-thought-insurance-was-always-a-mess dept.
A recent New York Times article ( http://www.nytimes.com/2014/06/09/business/cyberattack-insurance-a-challenge-for-business.html ) touted cyberinsurance as the "fastest-growing niche in the insurance industry today." Nicole Perlroth and Elizabeth Harris report: "After the breach at Target, its profit was cut nearly in half - down 46 percent over the same period the year before - in large part because the breach scared away its customers." These enormous costs to brand reputation make it difficult for companies to get as much cyber risk coverage as they want, and the demand is only growing. The Times cites statistics showing a 21 percent increase in demand for cyber-insurance policies from 2012 to 2013, with total premiums reaching $1.3 billion last year and individual companies able to acquire a maximum of roughly $300 million in coverage.
At the time of its breach, Target had only $100 million in coverage, with a $10 million deductible, and had been turned away by at least one insurer when it tried to acquire more cyberinsurance, Perlroth and Harris report. They suggest that this coverage may fall well short of the massive losses incurred by the company when it saw its profits nearly halved.
But their piece comes less than a month after Eric Chemi argued exactly the opposite about the impact of Target's security breach in a piece for Bloomberg Businessweek titled "Investors Couldn't Care Less About Data Breaches." He wrote:
Consider Target and its own well-publicized data breach that happened back in December. Target's stock didn't really move at all. Investors sent a clear message they didn't care. The stock fell several weeks later, in January, only after the company cut its earnings forecast. Even so, the stock rebounded in the next six weeks. Target shares have been falling since last year, for a lot of reasons unrelated to the data breach.
There is a good essay on cyber-insurance here.
(Score: 2) by joshuajon on Wednesday June 18 2014, @05:33PM
I wonder if anyone with any experience in this industry can comment about how liability works wrt "cyberinsurance". The details of many big publicized data breaches certainly seem to indicate that the blame lied squarely with a poorly implemented system, lapse in policy, or otherwise in the hands of some system architect or administrator. Does "cyberinsurance" pay out in these cases?
I'm reminded of my first (and thus far only) attempted claim against my homeowners insurance. Several feet of snow caused a roof joist in my barn to collapse under the weight. The insurance adjuster took a look and said "This roof was improperly constructed - joists must be closer together. We can't pay out on this, the fault lies with the builder." That hasn't stopped them from nominally covering the outbuilding, but it's clear that they won't pay for damage sustained due to negligence in construction.
How would this type of situation play out in "cyberinsurance" terms?
(Score: 2) by tempest on Wednesday June 18 2014, @05:45PM
I recently had to answer a questionnaire for a cyber insurance quote, and there was the stipulation that a security consultant had to be brought in if you didn't meet all the criteria. Or perhaps it was required in all cases. Anyway, it sounded like the insurance company wanted to be sure adequate steps were taken before they'd even cover you. The questions asked were far more reasonable than most "assessments" I've filled out in the past (aside from the usual problems with ambiguity and "blanket responses" without situation context), so it seemed fair if I'd done everything asked and there was a breach, that they'd pay out.
(Score: 2) by HiThere on Wednesday June 18 2014, @07:40PM
That was applying for a policy, not attempting to get them to honestly pay what they'd collected money to insure.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday June 19 2014, @06:53PM
My company is venturing into cyber insurance. I'm not involved with the effort but I've been following it.
The cyber insurance practice views negligence in user education and installing updates as the root causes of attacks. Internally, we're now required to take an online security course with an end of course quiz. Typically my company has a policy of defending its employees in any lawsuits provided that they aren't breaking company policy. This would essentially be an extension of that. You put the training material out there, require that the user confirm they've paid at least basic attention to it and make the user aware that they may be on their own if they break company policy and a breach occurs.
There are existing lines of insurance protecting against employees failing to follow a policy and lying about it. Presumably that coverage would be used if that were the failing element.
I'm not aware of any efforts to require security standards in any in-house software as part of the underwriting for our insurance. Most of our clients that we would be selling to would likely to only be using third party software for any internet-facing applications, so in our case the focus on underwriting user training policies and update policies may be sufficient.
I would guess that our policies would pay out if the covered company is following our guidelines but is breached anyway due to some sort of zero day exploit or novel social engineering approach that the users haven't been educated about.
(Score: 2) by edIII on Wednesday June 18 2014, @06:27PM
So... let me get this straight... I'm going to be paying for this insurance policy to cover their possible losses in the form of higher costs on products?
It's really sad and pathetic when executives are willing to throw money away on insurance instead of allocating the budget towards IT and demanding better performance. The two go hand in hand. If they want higher levels of security then the compensation packages need to go up.
Basically, fire their fucking CTO. How on Earth anyone thought it was a good idea to have the HVAC system hooked up to the main network with not even a VLAN separating traffic is beyond me. He didn't do his job, and security is always first in an organization that large. If you need to grab an executive and slam his head into the table a couple of hundred times, do it. At least write everything out on paper when the decisions go against security in the name of being cheap (read: more money for greedy executives). When something goes wrong hand those papers to the board of directors and say, "I told them so".
Another way I see this is that I'm pretty much paying a $1 or so every time I would shop there towards a "government fines and punishment fund". I believe it's Massachusetts(?) that would stick it to them hard for negligence, and cyberinsurance does not solve negligence. It would only be used to pay the fines, and nothing actually changed. Nobody learned their lessons.
Cyberinsurance is about the stupidest proposition I ever heard. In almost every single case you're better off spending that money on better implementations, products, and services. It's an entire industry dedicated towards enabling the bad behavior that created it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2, Interesting) by Horse With Stripes on Wednesday June 18 2014, @07:07PM
They need to spend money on both, and my clients do.
One of my clients, who has $ millions worth of PII & PHI (at current market prices), needs cyber insurance to protect against any lawsuits just in case they have some type of breach. It could be external, internal, physical break in, etc. They still spend good money on security assessments, pen tests, software, me, training, etc as well as securing their facility.
All it takes is one failure by an employee (opening an attachment, clicking on a link, stumbling upon an infected ad, etc). On our end of things we need to stop each and every possibility and/or attempt. The bad guys only need to get it right once. Just once. The cyber insurance is there if any one of the humans involved in all of this actually turns out to be human.
(Score: 2) by VLM on Wednesday June 18 2014, @08:28PM
I am not a crook, but just sayin, that if I was, like the day after I get my 5 figures of bitcoin from my Russian friends or my 31 mail order brides arrive in the UPS truck or whatever deal I've worked out with them, I'd probably go to great effort to cover up my freelancing by
"(opening an attachment, clicking on a link, stumbling upon an infected ad, etc)."
And I'm guessing if the firewall is too tight, well, I might have to plug a HVAC system into the secured LAN, or something like that.
"Geeze boss really sorry the entire credit card collection got stolen when my car window was smashed, what terrible luck" That sort of thing.
Just sayin. I suspect when you hear a story about someone behaving in a way too stupid to imagine, they're probably not stupid at all. And now they're probably rich, even if no one knows it publicly. So be nice to them.
(Score: 2) by EvilJim on Thursday June 19 2014, @02:38AM
Those russian brides are a scam, I ordered one, found her dead in the crate with a stack of heroin addressed to someone else and the cops want to charge ME with importing a controlled substance... bah, never again.
(Score: 0) by Anonymous Coward on Wednesday June 18 2014, @07:17PM
No shit. The whole concept of "insurance" is basically a scam anyway, and in today's society it absolutely IS a scam since the majority of them refuse to hold up their end of the contract.
(Score: 2) by scruffybeard on Wednesday June 18 2014, @07:37PM
I am having trouble swallowing this logic. People frequently buy insurance to insure against their own stupidity. I like to think I am a safe driver, but I still need insurance in case I am at fault, or someone hits me and doesn't have enough insurance to cover the damage. The same applies to contractors who work on your house. They may be the best in the business, but there is still a possibility that things will be overlooked. We are only human, and sh*t happens.
(Score: 2) by tathra on Wednesday June 18 2014, @07:57PM
no, you need insurance on your car because the law requires it. insurance companies are well known for denying all claims by default and not paying a cent until they're sued and ordered by the court to do so. that is why its sad and pathetic, and worse than throwing money away.
(Score: 2) by VLM on Wednesday June 18 2014, @08:40PM
That "mostly" happens when you aggressively optimize to the cheapest most heavily advertised insurers.
I was initially "stuck" because the agent was a family friend with an average insurer, not discount at all, and even after he died thru sheer inertia I stay with them, but whenever something happens they do not play the games I've heard the budget insurers play. I actually get what I paid for, which I've heard never happens with the discount insurers.
One way to put it, is you can pay now, or pay later.
Think about it, the discount CEO demands the same 175 foot yacht as the average CEO or the expensive CEO, and the only tools they have to operate with WRT price is cutting payouts or cutting customer service. So if you wanna pay 5% less in exchange for never getting payouts when you need them and the only customer service being a guy in India who doesn't speak English, I don't see the point in paying 95% of a real insurer for nothing at all.
I've had the same experience with renting. My SIL would always find the cheapest apartment in an area and I'd find the most expensive and I swear that girl spent every minute complaining about bugs and broken appliances and broken windows, whereas I lived in the lap of luxury. She spent years of her life complaining about the stove with only one working burner and the leaky pipes and the leaky ceiling and the broken window while I've got pro landscapers, weekly common area carpet scrubbing, resurfaced driveway every spring, heated underground parking, new appliances... I only paid maybe $200/month more than her, but I loved every minute of renting and she hated every second. Note her salary was higher than mine, I was just spending my money more wisely...
Kinda like buying clothes at walmart. Even now I don't make enough money to buy junk that falls apart instantly, I'm not rich enough to shop at Walmart. Apparently poor people are, or maybe shopping there is why they remain poor. Its very expensive being poor...
(Score: 2) by scruffybeard on Thursday June 19 2014, @12:26PM
Insurance (among many things) is something that almost everyone buys, but rarely take the time to understand what they are getting. Every other year I review my policies with my agent, to make sure I have the coverage I need. Last year we found that I was over insured in one area, and I was able to save a few bucks. Doing a little bit of homework up front can save a lot of aggravation later.
(Score: 2) by urza9814 on Thursday June 19 2014, @05:18PM
Agreed with you until you got to clothes. Or maybe I just have a corollary -- if it's got a designer's name on it, it's gonna be *worse* than the WalMart garbage. Graduated college two years ago and on weekends I'm still wearing the pants I got in *highschool* from JCP. I've got stuff that's ten years old and still looks fine. But all the fancy crap my rich ex got me -- the expensive titanium watch, the "top brand" clothes, the high-end luggage...none of it lasted more than a year. NONE of it. That girl would spend $600 on a freakin *handbag* only to have holes in it three months later!
And actually...my apartment was the cheapest place I could find, and I've got professional landscapers and common areas cleaned weekly, nothing in the apartment has ever broken, parking lots pristine and plentiful, swimming pool and tennis courts and a well maintained gym...though due to work issues I had to find the place and sign my lease from 1000 miles away, so "cheapest I could find" actually means "cheapest advertised on major rental websites" which puts it $100-$200 above the actual cheapest available.
All depends what you want though. My clothes are nothing special, but they last *forever*. Some of the buildings in my apartment complex are over a hundred years old, it's no fancy modern lofts, but it's recently renovated with a great staff and great services. So I say you get what you pay for, but only as long as you first remove the latest popular shiny things from your list of options. If you just buy the most expensive thing possible you're gonna get screwed. Every. Single. Time.
(Score: 1) by bzipitidoo on Thursday June 19 2014, @04:16PM
I find this "sh*t happens" philosophy weak, disingenuous, and dangerous. It's too frequently used to excuse people who do not want to take responsibility for dangers and damages, who have powerful motivation not to as that could cost them money. Just blow it off as bad luck, blame it on God, whatever, as long as the possibility that there's a cause and effect relationship at work, and the cause is human and preventable, gets overlooked or denied. Many things are beyond our control, of course, but that's no reason to let exploiters get away with bull.
As to driving, that is far and away the most dangerous routine activity most of us do. We've done a fair amount to make it safer, beginning with the change of that basic "sh*t happens" attitude towards automobile accidents that used to prevail before Nader's Unsafe at Any Speed book. I mean, in the 1950s, most cars didn't even have seat belts! Now we have seat belts, headrests, airbags, and more. But it's still the most dangerous routine activity.
The insurance industry isn't completely reactive. They created Underwriters Laboratories to test products for safety. They've looked at issues such as the design of road intersections, using their data to identify the ones where the most accidents happened, then recommending changes. Some of these changes were frightfully obvious, like moving a big metal box housing traffic light controls a few feet back so it wouldn't block drivers' views. It shouldn't have taken an insurance company to figure that one out, but we all know how businesses and governments are.
(Score: 2) by scruffybeard on Thursday June 19 2014, @05:05PM
I see what you are saying but there is a balance to strike here. Let's take the GM ignition switch issue as a current example. Here is a case where people knowingly left a bad product out there, that led to the injury or death of many people. Clearly unethical behavior, for which they should be held accountable. But what if GM management did act early? Since as far as I know, this was not intentional, or born of incompetence or negligence, would it be right to say this was preventable? Before this case I am not sure many could have predicted that something as simple as an ignition key could have caused this much trouble.
(Score: 2) by khallow on Wednesday June 18 2014, @10:11PM
Unless you don't buy Target's products, say because they're overpriced compared to their competitors.
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 18 2014, @06:30PM
Nice company ya got there.
Sure would be a shame if someone broke in.