Cyber InsuranceCyber Insurance(a.k.a. Technology Insurance)(a.k.a. Technology Insurance)
Linda Kay MonksLinda Kay MonksCenter for Information SecurityCenter for Information Security
Department of Computer ScienceDepartment of Computer ScienceUniversity of Tulsa, Tulsa, OK 74104University of Tulsa, Tulsa, OK 74104
At First Glance
• I didn’t know this type of thing existed• What?• What is it?• That sounds boring• Compensation culture• Is this just another way for the rich to make
more money?• Is this just another way to rip hard working
people off who can’t even afford health insurance?
• Fraud? rip off schemes (McD’s Coffee, pc ins?) result in raising rates, affecting society
Overview
• An insurer is a company selling the insurance
• An insured or policyholder is the person or entity buying the insurance policy
• The insurance rate is a factor used to determine the amount to be charged for a certain amount of insurance coverage, called the premium, based on risk
Insurance Defined
• In law and economics, insurance is a form of risk management primarily used to hedge against the risk of a contingent loss.
• Defined as the equitable transfer of the risk of a loss, from one entity to another, in exchange for payment.
Traditional Policies
• Auto• Home• Health• Accident• Sickness• Unemployment
• Casualty• Property• Life• Liability• Malpractice• Business Method Patent (new assurance products can now be protected from copying)
Other Policies
• Aviation• Boiler (equip/machinery)• Earthquake• Flood• Landlord• Marine (ships, cargo)• Volcano (damage-Hawaii)• Windstorm (tornado)
• Prize Indemnity– game shows
• Terrorism insurance
–provides protection against any loss or damage caused by terrorist activities
Employers of: • Formula One racing drivers• Hollywood actors • Musicians
often take out insurance against the risk that star performers are unable to work because
of sickness, an accident or even scandal
Insuring People That Matter
Specialized Policies
• Entertainment Industry• Artists and Promoters• Filmmakers- James Bond
– Film production insurance package covers has 13 key areas of cover including: employer’s liability; key person insurance; accident or injury to cast members and crew; damage to negatives; equipment hire; and props.
• Las Vegas- Live Music Events– Madonna, Pink Floyd, Rolling Stones
• Sports– Olympics, 21st Century Contingency Planning
Key Man Policies
• Hands–Rolling Stones guitarist Keith Richards– Pianist, Liberace
• Legs– Fred Astaire– Betty Grable
• Chest Hair•Teeth
– Actor Ken Dodd
Organizations covered - if loss of major asset leads to a loss of money - Legs, hands, voice, teeth, chest hair, Famous celebrities - depend on aspects of themselves for their fame - if they become disabled lose that item, they lose their livelihood
Today’s Companies At Risk
Evolution of Internet and way businesses operate has opened society for new attacks
If you have a:• Web site• Email/Internet Access• Credit Cards• Networked System• Sensitive Information• Courier service, third party vendor
Increased Threats
TheftVandalismNatural Disasters
hurricanesearthquakestornados
Power OutagesLoss of Income, Business,
DowntimeDisgruntled employeeCorporate Espionage
Secure Information
Threats
• Locking office doors doesn’t ensure
unauthorized access to sensitive documents
More Threats
– Hackers, viruses, attacks on authenticating systems, intrusions, defacing websites, phishing, identity theft
– Surveys reveal 90% of businesses and government agencies have detected security breaches
– 75% of these result in financial loss– 34% admit to less-than-adequate ability
to identify if their systems have been compromised
– 33% admit lack of ability to respond
Performance Crash
– Feb. 2000 Coordinated denial-of-service attacks –prevented 5/10 most popular websites from serving customers
– Perceptions changed after 9/11– 2001 Three serious worm attacks in 3
months• Code Red -July, Nimdia-Sept, Klez-Oct
– Global slow down of internet, measured at 60% degradation in performance
– Slammer Worm 2003
Managing Risks
Uncertainty of cyber-risks Poses unlimited threat for damagesPlanning and preparationConsider the risk in all areasManage risks
– Avoid the risk– Retain the risk– Mitigate the risk– Transfer the risk for a fee (obtain cyber
insurance)
Avoid the Risks
Reduce exposure to threats by no connectivitynot maintaining any dependence on networked computers, internet, website presence
Retain the Risks
Make an informed, conscience decision Is it more cost effective to absorb any losses intentionally or are other risk mgmt options not affordable
Retaining the risk may be the only financial option, don’t be risk-seeking
Mitigate the Risks
Use managerial and technical processes
• Invest in people and devices to– Identify threats– Prepare counter-measures – Continually improve security processes
Transfer the Risk
To a third party licensed insurance company for a fee
Engages insurance to act as intermediary and conduct smooth payouts for uncertain events and spread variable costs into periodic costs
Options
Take a risk management approach• Disburse the risks utilizing all
approaches– Use product warranty or service contract
• Conduct internet presence• Do not take internet transactions
What is it?
• Cyber coverage- offered in traditional polices
• Property and Theft– Offered in millions– Based on – Destruction of Data or Software– Recovery from viruses or other malicious code– Business interruption– Denial of service attacks– Data theft– Cyber extortion– Losses due to terrorists acts
Evolving Insurance
• New type of policy, reactionary– 1990’s, Early Hacker Policy– Cyber Insurance started spreading 2002, eight
years old– Love Bug virus 2000 affected 20 countries, 45
million users, cause 8.75 Billion in lost productivity and software damage
• Slow Growth – Companies don’t want to report security breaches
• Result– standardized insurance prices hard to come by
Cyber Insurance Market Growth
0
50
100
150
200
250
300
350
2002 2003 2004 2005 2006
GrossPremiums inMillions
Cyber Insurance Coverages
Traditional Policies• Normal Liability policies cover physical
property• Computer
– Lightning, reimbursed– Virus destroys data, downtime, may/may not be
covered
Cyber Insurance• Writes policies that deal directly with
technology• Tailored to fit company needs
Coverages cont’d
• Liability• Network Security Liability• Content/electronic media injury• Privacy/breach of confidentiality
liability
Insurers
• Narrow Coverages to target consumers
• May seek to spread risk over different hardware and software platforms
• Large and small organization• Bases questions on the Internet and
connectivity
Do We Need This?
Cyber Insurance- Conduct Self-Evaluation – Dependent on networked computer assets– Produces vulnerability in the market place– Need and demand protection against cyber risks– Focus on security, technical prevention of cyber
attacks– Must manage risks as reality– Do we possess patents, trade secrets
Insurance Evaluation
First and foremost question:• Look at company’s Network Security
– No firewall, no anti-virus, NO POLICY
• Market segments• Requires company to do security
assessment of current conditions of technology
Security Assessments
Large Corporations• Require third party assessments• At company expense• 16 page+ checklist• Security configurations• Documentation of security plans• Password Management• Backup Procedures• Much more
Security Assessments
Small Companies• Self-Assessment• 1-2 page checklist• Basic security procedures:
– Anti-virus software– Do you update the virus definitions– Use firewall– Conduct regular backups
Redundancy in Policies
Auto Policies- don’t carry twoCyber Policies• Don’t buy if already covered• Look at current policies
– Does general liability cover physical damage to computers?
– Does your computer have manufacturer’s warranty– Have current agent strike physical property from
the current policy, reduce premium.– Don’t include things you won’t need– Restaurant has a web site but not a message board,
don’t need libel insurance
Benefits
• Insure our people that matter: company, stakeholders, stockholders money
• Produces peace of mind– Saves money, transfers risk– Increases safety /self-protection– Helps facilitate new standards of liability
• Prevent legal liabilities, lawsuits
Insurance Companies
More specialized insuranceCompanies that offer Cyber Insurance:• American International Group (AIG) Inc’s
NetAdvantage• Lloyds of London e-Comprehensive• InsureTrust.com• J.H. Marsh & McLennan• Sherwood• Many online companies • Not many traditional insurance providers
like Allstate, Prudential, Nationwide, or State Farm
Price Points
Policy Coverages• $ 5,000 –over 15 million
Typical Cost of a policy• Hundreds for a $5,000 policy • $5,000 to$60,000 per $1 million, however,
standardizing policies and pricing is difficult and a critical challenge for some insurance companies to determine
• Can’t apply brick & mortar costing for digitized assets
• Cost includes info on company’s size, revenue, risk
In Conclusion
• Other industries find it necessary to cover risks through insurance
• Common Sense, aggressive approach to security in the front of the house
• Growing demand dictates that cyber insurance products could become over a 2.5 billion industry
Top Related