thoughts on cyberinsurance

Bejtlich slammed out a bunch of posts late last week which I’m still wading through. Excellent food for thought for a whole week or more! I just wanted to jot a few thoughts of my own down, fairly unformulated ideas…

Cyberinsurance. It really does make sense on paper, no? And it’s one of those things we look towards like the sun peeking from the clouds in the distance as we’re still getting poured down upon; there is an end!

Sadly, it’s not a perfect solution. IT is spendy. Unlike fire insurance measures which may just include inheriting whatever the builders built plus marking exits with placards and posting occassional fire extinguishers, we inherit insecure building blocks and have to do a hell of a lot more to detect and monitor while also providing IT services to the business. That’s a very different magnitude.

Fires happen, but not very often. Cyber attacks may not happen to your business very often either, if at all, but they certainly seem to occur on smaller scales very often. Viruses, worms, snarfed credentials, file loss through P2P. While this isn’t like a fire that destroys a building, IT security is more like lots of little fires that can pop up every week in various corners.

Likewise, what if it were profitable for people to set fires to your building? And they could set fires without being physically present? And have little chance of being caught unless the fire gets way too big? I think we’d see lots of fires and fire insurance would have some pretty deep questions to start asking itself.

When a fire occurs, there are professionals trained to examine and determine fire causes. These causes, with extremely exotic exceptions, should be fairly finite and predictable based on the operations that take place in that building. Negligence can be supported with building specifications, local and federal laws and standards, and inspections based on specifics. IT is far more wide in the spectrum of choices, tools, implementations, and so on. There are best practices for things like a Windows shop, but relatively few people know them fully or pursue certs that would help solidify them.

Maybe cyberinsurance will be a way to show compliance? For instance, you do measures X, Y, Z, and part of G, and you won’t have to pay all that much more in premiums. Of course, how much do those measures cost compared to the savings? Taking this a step further, how is this very different from the much-maligned “HackerSafe” logo on websites? As an industry (and the media, and thus average people, and thus culture), we’re very intolerant of single failures. This might be because single failures can affect millions of people in ways we probably don’t even know about yet. Or it might be because it’s all so very dramatic yet… Laptop theft has existing since there have been laptops, but it seems like more now because of the disclosures requirements…

Insurance also seems to be something people buy to protect against things outside their control. Attackers and other digital shenanigans are maybe not so much seen as random or natural acts, but rather things we can control. Why buy cyberinsurance when that money can be spent on the IT/security infrastructure? We still have a lot of ways to become more secure, whereas insurance seems to me to be something you buy when you’re out of alternatives and need a safety net.

Cyberinsurance sure sounds good, but I wonder if our current state is going to upheave such an insurance model in the same fashion that technology is unheaving our idea of copyright and privacy.

Anyway, just some thoughts for me for the future, nothing solid or much that I’d back in a challenging discussion, yet. 🙂

2 thoughts on “thoughts on cyberinsurance

  1. Good points. And imagine that you were rebuilding parts of your building constantly, with new builders who might or might not know the building code (or even have any real experience doing construction). Imagine that every week someone discovered a new way of breaking into your building even if you weren’t changing anything.
    Having said that, I have seen insurers take a look at cybersecurity measures as part of their overall assessment of a company they’re insuring. But this was ten years ago, and it was a very cursory glance. I was impressed to see it happen at all, though.

  2. Nice!
    While I might sound very dubious about cyberinsurance, we might just need to “Do It” at some point, and see what the results are. Maybe it really can only ever be a cursory glance unless one contracts for a customized service which looks deeply at the company in the context of the company. Then again, maybe it is one of those puzzle pieces you look at 10 times and don’t even try to fit it into that tough section because it doesn’t look like it would fit…only to later find out it did fit once you tried.

Comments are closed.