Cyber Insurance for Data Breaches

Márk FélegyháziLaboratory of Cryptography and System Security (CrySyS Lab)

Department of TelecommunicationsBudapest University of Technology and Economics

www.crysys.hu

Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Failure to protect data

2006 May – Department of Veteran Affairs – 28.6m name, SSN, DoB

2007 March – TJ Maxx – 94m credit and debit cards 2008 end – Heartland Payment Systems – 100m

credit and debit card info 2011 April – Sony Online – 24.6m accounts

Is this going to continue?

2

Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Failure to protect data

AND Wall Street Journal, 2007 Sep 22:

3

Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Cost of breach is substantial

SME breach of 25000 records – cost of $4.16m Sony breach of 77m records compromised

– $171m spent (May 24, 2011) on – total costs?

• $258 per record – $20.6 billion

• conservative – $5.6 billion

4

Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Solution – Static audits

Payment Card Industry Data Security Standard (PCI DSS)

5

contentprovider

users

Malice

auditor

Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Proposal – Dynamic security monitoring + Insurance

6

contentprovider

users

Malice

securitycompany

cyber-insurancecompany

Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Key points

data value assessment design a clear data flow in system monitor data flow establish security

7

Márk Félegyházi, Crysys Lab, BME-HIT

mfelegyhazi@crysys.huwww.crysys.hu