SoylentNews is people
SoylentNews
from the I-thought-insurance-was-always-a-mess dept.
A recent New York Times article ( http://www.nytimes.com/2014/06/09/business/cyberattack-insurance-a-challenge-for-business.html ) touted cyberinsurance as the "fastest-growing niche in the insurance industry today." Nicole Perlroth and Elizabeth Harris report: "After the breach at Target, its profit was cut nearly in half - down 46 percent over the same period the year before - in large part because the breach scared away its customers." These enormous costs to brand reputation make it difficult for companies to get as much cyber risk coverage as they want, and the demand is only growing. The Times cites statistics showing a 21 percent increase in demand for cyber-insurance policies from 2012 to 2013, with total premiums reaching $1.3 billion last year and individual companies able to acquire a maximum of roughly $300 million in coverage.
At the time of its breach, Target had only $100 million in coverage, with a $10 million deductible, and had been turned away by at least one insurer when it tried to acquire more cyberinsurance, Perlroth and Harris report. They suggest that this coverage may fall well short of the massive losses incurred by the company when it saw its profits nearly halved.
But their piece comes less than a month after Eric Chemi argued exactly the opposite about the impact of Target's security breach in a piece for Bloomberg Businessweek titled "Investors Couldn't Care Less About Data Breaches." He wrote:
Consider Target and its own well-publicized data breach that happened back in December. Target's stock didn't really move at all. Investors sent a clear message they didn't care. The stock fell several weeks later, in January, only after the company cut its earnings forecast. Even so, the stock rebounded in the next six weeks. Target shares have been falling since last year, for a lot of reasons unrelated to the data breach.
There is a good essay on cyber-insurance here.
(Score: 2) by joshuajon on Wednesday June 18 2014, @05:33PM
I wonder if anyone with any experience in this industry can comment about how liability works wrt "cyberinsurance". The details of many big publicized data breaches certainly seem to indicate that the blame lied squarely with a poorly implemented system, lapse in policy, or otherwise in the hands of some system architect or administrator. Does "cyberinsurance" pay out in these cases?
I'm reminded of my first (and thus far only) attempted claim against my homeowners insurance. Several feet of snow caused a roof joist in my barn to collapse under the weight. The insurance adjuster took a look and said "This roof was improperly constructed - joists must be closer together. We can't pay out on this, the fault lies with the builder." That hasn't stopped them from nominally covering the outbuilding, but it's clear that they won't pay for damage sustained due to negligence in construction.
How would this type of situation play out in "cyberinsurance" terms?
(Score: 2) by tempest on Wednesday June 18 2014, @05:45PM
I recently had to answer a questionnaire for a cyber insurance quote, and there was the stipulation that a security consultant had to be brought in if you didn't meet all the criteria. Or perhaps it was required in all cases. Anyway, it sounded like the insurance company wanted to be sure adequate steps were taken before they'd even cover you. The questions asked were far more reasonable than most "assessments" I've filled out in the past (aside from the usual problems with ambiguity and "blanket responses" without situation context), so it seemed fair if I'd done everything asked and there was a breach, that they'd pay out.
(Score: 2) by HiThere on Wednesday June 18 2014, @07:40PM
That was applying for a policy, not attempting to get them to honestly pay what they'd collected money to insure.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday June 19 2014, @06:53PM
My company is venturing into cyber insurance. I'm not involved with the effort but I've been following it.
The cyber insurance practice views negligence in user education and installing updates as the root causes of attacks. Internally, we're now required to take an online security course with an end of course quiz. Typically my company has a policy of defending its employees in any lawsuits provided that they aren't breaking company policy. This would essentially be an extension of that. You put the training material out there, require that the user confirm they've paid at least basic attention to it and make the user aware that they may be on their own if they break company policy and a breach occurs.
There are existing lines of insurance protecting against employees failing to follow a policy and lying about it. Presumably that coverage would be used if that were the failing element.
I'm not aware of any efforts to require security standards in any in-house software as part of the underwriting for our insurance. Most of our clients that we would be selling to would likely to only be using third party software for any internet-facing applications, so in our case the focus on underwriting user training policies and update policies may be sufficient.
I would guess that our policies would pay out if the covered company is following our guidelines but is breached anyway due to some sort of zero day exploit or novel social engineering approach that the users haven't been educated about.