back to article Insure against a cyberwhat now? How the heck do we crunch those numbers?

The head of a UK industry insurance organisation has called for the government to create a database where companies would be obliged to “record details of cyber attacks”. Insurers are struggling to assess premiums for newly introduced cyber insurance policies in the absence of background info, according to the head of the …

  1. Graham Marsden
    Devil

    Insurers are struggling to access premiums

    Assuming that's actually supposed to be "assess", they'll do it by the usual method of "how much do you think we can gouge out of the punters for this".

    Of course they'll then bump the premiums up about 25% on renewal, hoping the hike will go through on the nod, but if people complain, suddenly the insurers will find they can give you a "special discount"...

  2. Doctor Syntax Silver badge

    “We have 350 years of fire data and 100 years of motor and aviation data, but we have just a few years of cyber data,”

    They may have all those years of fire etc. data now. Initially they didn't. They coped then. They'll need to cope the same way now.

    Of course there are some interesting aspects to this such as the way risk is affected if the CIO goes to the board and says "we need to improve security" and the board hears him say "I want to throw money away.".

  3. Swarthy
    Go

    This may help goad security upgrades

    If it comes down to spending a million now, or two million later if when there is a breach, most corporates will opt for the latter. If it comes down to spending a million now, or having your premiums hiked by 100K per month, I can see some CFOs actually agreeing to splash out on security upgrades.

  4. Anonymous Coward
    Anonymous Coward

    “We have 350 years of fire data and 100 years of motor and aviation data, but we have just a few years of cyber data,”

    We need this data to show assumed negligence and therefore not have to pay on claims and will need to have robust terms to enable us to do this.

    Call me cynical but that's how I see all insurance.

    Also, how would you prove you applied a patch and where would the liability fall if you patched but you were compromised before the patch was applied?

    1. Dadmin

      Exactly! Here's how insurance "covers you"; Mr Government, please force people to purchase our "coverage." Great, thanks! Now, Mr. Customer; pay us our premiums! You want us to cover what now? Oh no, no, no, Mr. Customer. You didn't purchase our super secret plan where we actually pay your claims, so you're shit-out-of-luck.

      So many loopholes, so many ways to play and never get anything back in return. What a great scam most insurance is! I wish I had the gene that lets me rip people off without remorse, just like TV preachers and insurance companies.

      "The head of a UK industry insurance organisation has called for the government to create a database where companies would be"...

      too late, it's been hacked. Try again.

  5. Brian Miller

    Hackers hack hacks, doped data dumbed down decisively

    "We've just collected all the data on all hacks!" "Great! Now we'll get a printout of risk." "Funny, it says that everything's OK, and there's no risk. Oh, and our cat is flipping the bird." "How did the computer know that?"

    Something like this would simply be a magnet for being vandalized. I wonder what the insurance companies are doing now to track "cyber attacks." Do they count all of the times a system goes down due to bugs? "Oh, we were attacked." Reality: we don't know how to code, so we're going to blame it on hackers. Will there be DOS mitigation insurance sold? This is just such a pathetic rabbit hole.

  6. Anonymous Coward
    Anonymous Coward

    We have 350 years of fire data.

    2016 - 350 = ?

    Is that some kind of joke or am I the only one to spot that one?

    1. A Nother Handle

      https://en.wikipedia.org/wiki/Property_insurance

      He's referring to the age of the fire insurance industry. 350 years is an exaggeration, but only a small one.

      1. The Mole

        Also I'd point out Lloyds of London has been providing a market place for maritime insurance since 1688 - 328 years ago which I'm happy to accept being rounded to 350 particularly as there was probably some insurance happening before then!

    2. Doctor Syntax Silver badge

      "We have 350 years of fire data.

      2016 - 350 = ?"

      They did have earlier data but it went up in smoke.

  7. Leeroy

    Crime number

    Try getting a 'crime number' for an IT attack from the local plod.

    They seem to be very careful about their solved crime rate and resist as much as they can to assigning crime numbers to things they haven't got a snowballs chance in hell of prosecuting !

  8. Ted's Toy

    Just remember that insurance companies are a nicer way of referring to bookmakers. It is all an odds game with good bookies winning bad ones don't last long. Also it is usually the punter who looses.

  9. MAF

    Data can flow in both directions....

    Please Mr Gov'ment, legislate that Insurance companies have to publish figures on total claims vs. total paid out. Then the consumer can exercise choice (Which you are always keen to stress) as to whether a company will pay out on your claim as well as how much they will charge you for a policy.

    This would most likely result in a 'competitive shake-up' in the industry resulting in benefits to the consumer.

    Oh wait, I fogot that you don't care about us as we don't line the Party coffers....

  10. PaulVD

    Many commentards don't understand insurance

    Look at your fire insurance policy; it will exclude, for example, acts of war. The last time Britain got into a big war, half [sorry, lots of] the houses in London caught fire. No insurer can actually pay out that scale of losses, so they exclude them from the risk covered. Somebody else, the insured or the Government, has to bear these risks.

    The insurance spokesman no doubt understands this about insurance, but does not understand cyber security. It is perfectly possible to insure against the odd idiot who leaves a laptop in a taxi, because this is standard idiot behaviour and the industry has lots of data on that. But cyber attacks are much more like warfare, in that people are actively working to create losses. If some unknown vulnerability is discovered and exploited, half [sorry, lots of] the companies in Britain could suffer big losses. The insurers cannot actually pay out for this, and last year's data on cyber attacks is pretty much useless for predicting next year's losses due to new kinds of attacks.

    So the insurers want data that actually won't help them, and that will create new risks. The insurers will either have to become cowboys, making promises that they cannot honour, or will have to exclude liability for most active attacks. That would rather defeat the purpose of cyber insurance.

    1. Doctor Syntax Silver badge

      Re: Many commentards don't understand insurance

      "But cyber attacks are much more like warfare, in that people are actively working to create losses."

      Housebreakers also actively work to create losses. So do arsonists.

      1. J P
        Mushroom

        Re: Many commentards don't understand insurance

        Doctor Syntax is right that there are deliberate attacks against physical property, just like virtual assets - but I think the risk with cyber insurance is that (for the time being) we can't tell if someone's about to invent the equivalent of skeleton keys for every physical lock in the country, or a pocket sized laser type device powerful enough to cause ignition of any combustible building material up to and including steel RSJs at a range of up to 3km but which retails for £5.99. Until the underwriters are happy that it's not a risk they need to worry about, setting premiums will remain rather more risky than they're comfortable with.

        1. Coofer Cat

          Re: Many commentards don't understand insurance

          ...and unlike physical locks and doors, 'cyber' security is unseen, and very hard to audit.

          In traditional insurance, if you get burgled the police will look for a forced entry. If there isn't one, you're already in shaky territory with your insurance. If the loss adjuster talks to your neighbours and they tell him/her that they've seen you leave windows open while you pop to the shops, then there's a good chance you won't get a pay out at all.

          To try to keep up the analogy though, if a mega corp gets hacked, it's because they've got an enormous, yet flimsy warehouse made of wood held together with gold nails. They're located in the worst possible part of town, wrong side of the tracks, etc etc. Or, maybe they've got a bomb-proof fortress in the best part of town but store so much unobtanium that they're still a lucrative target.

          The thing is, unlike their physical counterparts, one's virtual presence can't be assessed by a brief look around. Further, one's virtual presence may be in the best part of town now, but at the time of the attack was the flimsy warehouse in the wrong part of town. Assessing someone's security procedures/processes etc is a long job, and only tells you what's in place at that moment.

          The insurance industry doesn't need a database, it needs a certification programme. I guess one day it'll be a bit like car insurance - if you don't have a license, you can't have the insurance (or else can have it at super-high cost). If you only just got the license, you're a higher risk than someone who's had it ages, etc etc.

  11. SeanDavin

    Talking about this at CyberUK Practice yesterday/today

    At the CyberUK conference in Liverpool this week, I've been talking these concerns through with various folk, including from CESG and the Cabinet Office, as all come to terms with the problem of consequential damages and what this means in terms of bounding the loss for an insurer.

    The same hack or employee misbehaviour might still result in the same probability of attack for a small firm or a large financier, but the impact of such an incident is significantly worse.

    Between the fire, house and car insurance issues and cyber crime, there is certainly one chasm of difference and that is one of intent. If someone intends to attack you in a targeted attack, then it is very difficult to draw a parallel with fire insurance except in the case of arson.

    Creating a database of breaches is certainly one thing that might lead to a name-and-shame, but not much real intelligence will be created as a result of it unless patterns of behaviour are starting to show up for types of organisation and how they handle security risks.

    The rapidity of change in the world of cyber attacks has been increasing in pace, voracity and complexity. A database for insurers taking past behaviour 2 years ago won't necessarily keep up with the trends of attacks or indeed be responsive enough to handle campaigns against particular sectors; an example would be the recent campaign against law firms to extract M&A data.

    We will continue to talk this through with other professionals and the insurance industry, and publish articles as we find more to write about.

    1. Doctor Syntax Silver badge

      Re: Talking about this at CyberUK Practice yesterday/today

      "Between the fire, house and car insurance issues and cyber crime, there is certainly one chasm of difference and that is one of intent. If someone intends to attack you in a targeted attack, then it is very difficult to draw a parallel with fire insurance except in the case of arson."

      OK, you spotted the arson aspect. But houses and cars are also subject to targeted attack. Even shipping is subject to piracy. The insurance industry has been dealing with insurance against crime for a long time.

      Although cyber attacks might in some cases be down to nation state organisations they can also be perpetrated by teen-age skiddies.

  12. Ken Moorhouse Silver badge

    Y2K

    The insurance industry does have some data relevant to unforeseen coding scenarios. The Year 2000 problem.

    Ok, the "unforeseen" element in those circumstances was not malicious - unless of course a vendor wanted you to periodically upgrade your hardware/software in a way that caused data-loss if you didn't, and didn't tell you about it until after the event by not performing data boundary condition checks.

    Since then (many saw Y2K as scaremongering, but I can relate many stories to the contrary), there have been other problems of a similar calendrical character, such as leap year and daylight saving calculations - any figures for such events? Or perhaps the victims took the issue up with vendors without claiming on their insurance.

    Another element to this is Fraud. How many accounting systems are there out there which have been exploited by dodgy accountants? There has to be data for that going back to pre-millenia days.

  13. blackjack00

    Sure, legislate that people must feed you data

    Does anybody else see the problem behind the unspoken premise? This is a request to use the force of government to compel companies to provide data in order for other private companies to conduct their business.

    I realize that is many parts of the world this is accepted practice but I am not sure about the UK (seems like some voters were upset at out of control regulations recently?). Of course some will argue that it is in "the public interest" etc. That's often a spurious defense so we have to be able to consider and reject it when appropriate.

    As previous posters have so ably pointed out, this is bookmaking and insurance companies struggle to understand the very nature of the threat and therefore the real risks. In the sense the "war" is usually excluded, aren't all companies essentially on the front lines here? Yes, insurance companies have a problem don't they?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like