back to article How cyber insurance actually works

A couple of weeks ago El Reg carried an article by Mark Pesce about the likely evolution of Cyber Insurance. Reg reader and insurance industry veteran Tom Whipp agreed with most of his sentiments, but wasn’t so keen on his conclusions and demanded his stint on the Reg soapbox. So, take it away Tom. I’ve worked in security and …

  1. Roger Greenwood

    I saw one of these proposals recently

    Struck me that there were so many "get out" clauses for the insurer that we were unlikely to ever be able to make a claim. This was/is not unexpected, but as the article points out, allows you to focus on what they consider important and limit your risk anyway without paying a huge premium. Currently these products also seem to be aimed at businesses with a "high street" presence rather than manufacturers no one has heard of (or cares about!)

    1. Thomas Whipp

      Re: I saw one of these proposals recently

      There are a range of options on the market, some of which are very low cost (i.e. premium in the £400 type range) which unsurprisingly provide a fairly low level of cover and are essentially a take it or leave it option which would cover the early stage incident response costs.

      Once you get into the higher cost options with cover in the £X million range then the premiums get larger and some negotiation over policy wording isn't unheard of (this is also where the improvement program requirements tend to kick in).

      1. Anonymous Coward
        Anonymous Coward

        Re: I saw one of these proposals recently

        @ Thomas - forgive the daft question, but do basic things such as a customers IT security, platform and the like mitigate some of the costs associated with the insurance? Or is it purely based on a risk of something happening?

        Using your car insurance analogy, I'm thinking of the no claims discount, or a "black box" in the car that allows you to track location, time of driving, speed and the like to measure the drivers performance...

    2. Hargrove

      Re: I saw one of these proposals recently

      Mr. Greenwood's post makes a critical point. The reason this "was/is not unexpected" reflects the inherent nature of the insurance business. The insurer needs a sufficient base of data to be able to predict the probable outcome with a high degree of precision and confidence.

      And, in this regard, cyber insurance is not simply new. . .the nature of the risks and losses it deals with are radically different in kind from any other activity. Using auto liability as a analog (admittedly a poor and trivial one, but the best I can come up with at the moment) writing a cyber insurance policy is like trying to ensure a fleet of cars where the number, location, and design of the road system, and the size, numbers, as speed limits of the vehicles for any given span of time can vary by orders of magnitude, in ways that cannot be predicted, and where 90% of the drivers are unlicensed.

      To be economically viable insurance coverage must be limited to those risks and losses that can be reliably predicted based on hard statistical data. Given the reality of the global cybersphere, that means limiting the coverage to virtually nothing.

      It's crystal clear that this is headed down the same path as Affordable Health Care. Companies and individuals are going to be required to have cyber insurance, the terms and condition of which will allow the insurance industry to extract high profits for insuring very little in practical terms.

    3. Alan Brown Silver badge

      Re: I saw one of these proposals recently

      > Struck me that there were so many "get out" clauses for the insurer that we were unlikely to ever be able to make a claim.

      Most of them are aimed at making sure that the entity taking out the insurance is actually making sure they take care of the basic self-protection steps.

      It's also worth noting that most liability insurance is null and void (or payouts drastically reduced) if you're warned of a situation, fail to act on the warning and an event subsequently occurs because of the failing or where the failing has a significant impact on what happened next.

      Hence the comment in the article about taking out insurance being a major driver of security improvements.

      Insurance is about risk reduction and compensation when the unexpected occurs. If it's expected then you can't insure against it (well, you can, but your premiums will be vastly higher).

  2. Anonymous Coward
    Anonymous Coward


    Speaking as an insurance insider (and thus AC) I'd agree with Mark's paper.

    Products that exist as a package are designed for a single type of customer (e.g. high-street) and an insurer can be disciplined by the regulator for selling it to a customer that it wasn't designed for.

    The number of policies that can be sold of one type is therefore naturally limited by the insurer's ability to pay out losses in the event of a major event that affects numerous policyholders of that type; the insurer's "capacity".

    Capacity is therefore greater if the policy is different from what they're selling as a product. It's up to the purchaser and their broker to determine what sort of cover they really want. The more clearly articulated this is the easier and cheaper it is to buy, because it doesn't use up same capacity.

    Insurers are happiest when they are selling policies to cover known risks when you just don't know if or when it'll happen (Rumsfeld's known unknowns). Nobody wants to open themselves up to agree to pay out on a general "anything bad happens". Unfortunately many companies want cover so wide that the insurer either has to refuse, add exclusions or charge more than what it would cost for remedial action in the first place. Don't buy insurance it what you need is a sprinkler system.

  3. Philip Virgo

    This is a good introduction. For a deeper understanding of why things are as they are, I recommend reading the Long Finance report on Cyber Catastrophe re-insurance . I attended some of the workshops leading to that report, have blogged on the likely consequences

    The key point is that cyber is being routinely excluded from mainstream policies leaving policies which cover the cost of "incident management" (hopefully including business continuity), provided the organisation has an agreed incident management plan in place.

  4. Ponytailed Opinionator

    A combination of DirectLine and Norton Antivirus as a consumer proposition might be interesting, though?

    The problem consumer antivirus has is justifying any kind of recurring cost: adding anti-fraud insurance, or something similar, gives the consumer a more tangible benefit. The insurance company can probably reclaim some of their losses, when a payout is required, from banks or third parties that have taken insufficient care with customer data (or via their existing corporate insurance), and get benefit of scale in doing so - while the consumer gets to avoid a complex and time-consuming problem.

    And the antivirus company is incentivised to do a good job, rather than being incentivised to build fear and uncertainty in the consumer base, as is currently the case.

    Everyone wins.

    1. Anonymous Coward
      Anonymous Coward

      while I hate the combination of "Norton" and "everyone wins" ....

      On the surface maybe an insurance-backed Clam might sound attractive, but isn't there is an issue in that unless the operating system vendor is taking on liabilities for zero-day, why should any insurer? I would - and have, usually to derision - argued that if you accept money for your operating system then you should also accept some liability if it has holes in it, but that does not reflect commercial reality, in which shrink-wrapped licenses exclude responsibility for anything at all once they've got your money ....

      1. Ponytailed Opinionator

        Norton and 'everyone wins'...

        Let's say a hypothetical competitor to Norton, then, who has actually grasped the concept offering value for value, rather than just looting the system for all it's worth.

        Anyway, the only reason why an Insurance company should offer to take on liabilities for covering zero-days is because they think there's money to be made in doing so. And the more bug-ridden and full of security holes and the longer it takes to patch them, the higher the premiums they offer are going to be.

        Which encourages users to switch to a platform that is more secure*. Which encourages the OS vendors to do a better job, and support their products better. Everybody wins.

        * Or, if they don't have that option, at least potentially allows the insurance company to settle out of court for lost revenue or something? I'm not sure how this would work - if 1% of Fnord cars have accidents because of a manufacturing or design fault, do the insurance providers for all those vehicles get to reclaim some of their losses from Fnord?

    2. Aitor 1 Silver badge

      Unlimited risk vs limited income

      Why whould anyone take that risk? 10 million pounds for 70 pounds? Nobody will sign that!

      1. Nym

        Re: Unlimited risk vs limited income

        Ah, we'll mesmerize them into doing it...

  5. Doctor Syntax Silver badge

    A hard sell

    Cyber insurance must be a particularly hard sell to companies whose response to an incident is simply to brazen it out. Not thinking of anyone in particular, of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: A hard sell

      glad you aren't thinking of anyone in particular. The only think you could do worse than thinking about then is to Talk. Talk is a risk when it comes to security. :)

  6. Peter 39

    Glad to see this

    I am very pleased to see that this is becoming more common in companies. When dealing with security issues and expenditures, the bean-counters frequently reduced or eliminated security aspects of IT budget proposals. They saw it as a dead expense, completely ignoring the fact that what they were doing was self-insuring the company.

    Once cyber insurance becomes commonplace, IT managers will have a way to push back against those cuts by arguing that spending on security will recede the price of insurance. Just as installing better fire protection will cut those premiums significantly.

    Cyber insurance should be mandatory for businesses dealing with customer data (which is most of them) just as liability cover is required for your car. You aren't required to have full cover but you should at least have cover for customers. Why don't we have that yet ??

  7. petboy

    I was disappointed at how little the insurer cared about having proper security when negotiating for cyber insurance with our finance director.

    We were given the initial premium on the basis of having no idea at all about security. I asked what the price would be if I put us through as IASME or even a full ISO27001 audit and ensured compliance. The discount was a couple of hundred pounds.

    So, basically, it was cheaper to leave systems wide open and claim on the insurance than actually make an effort to be secure.


  8. Hargrove

    It would be amusing

    It would be amusing to see how the insurance industry would price out the premiums for the following requirements:

    Cyber insurance in the amount of $1,000,000 US per incident $3,000,000 in aggregate.

    This is a requirement in a real US government subcontract that a private company has been asked to sign. No information or regulatory reference as to what types of loss or damages must be covered. Requests for that information have generated no response from the prime.

  9. Anonymous Coward

    Interesting couple of articles, despite the lack of popularity.

    Not convincing, however. Insurance companies are effectively an unelected shadow government forcing us to waste even more time and money to comply with boneheaded safety/security regulations. Illegitimate and counterproductive.

    As an example, a guy I worked with got his fingers crushed because the insurer demanded that workers wear gloves when handling sheet metal to reduce the (predictably high) rate of minor cuts, with no regard for the risk of gloves being pulled into machines, and sent inspectors to make them wear gloves. Stupid assholes.

    That was simple low-tech manufacturing. When it comes to "cyber" they really have no clue, and they will never attract enough IT talent to (statistically) get a clue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019