The Real Value of Cybersecurity Insurance
If you missed the announcement a couple of weeks ago, here it is again: the good insurance folks over at Chubb will give you a discount on cybersecurity insurance if you use Core Security's automated penetration testing software.
How much of a discount? That depends, actually. Chubb won't give specific numbers, but it says 10 to 15 percent depending on the premium, as well as other factor such as size and scope of the operation. Of course, Chubb will take other security measures into consideration, such as other applications used to mitigate risk, industry and exposure to threats, security policies and procedures, and users' online behavior.
What difference does having Core's pen testing application have on the insurance policy? Core's Impact is a powerful, well-heeled application that doesn't just find vulnerabilities in an organization's infrastructure, it pounds at the gates and walls, burrows under and climbs over defenses until it finds a way in--and it always finds a way in. While the Chubb incentive is tied specifically to Core's product, it's not the only pen testing product or service available. The idea is to give organizations a punch list of vulnerabilities to plug before hackers or malware find and exploit them. A good idea in theory, but penetration and vulnerability tests usually produce a laundry list of repair items so long that no organization has the resources or ability to remediate them all.
The real question is what's driving this? Chubb says it's twofold.
First, it's using the discount to encourage best practices and help mitigate risk. Makes sense. Just as auto insurers give discounts for car alarms, window engraving security numbers and safety features, having and using pen-testing tools will likely lead to some improvements in security posture.
Second, it's the market trends. Chubb says the costs of security breaches have doubled each year since 1995, and the threats are becoming exponentially more dangerous and potent than ever before. I won't argue with the threats becoming more powerful, since the security community has done a fairly effective job of routing the low-hanging fruit (common viruses, cherry hackers) that the attacks and offensive tools must become more sophisticated.
The issue I take with this is the concept of cybersecurity insurance. The insurance industry has been pushing these policies for the past seven years, first showing them as a means for accepting a certain amount of risk then elevating their importance by invalidating claims filed under businesses' general liability insurance.
The problem with cybersecurity insurance isn't protecting or compensating for losses, but quantifying the losses. The insurance companies have no real actuarial data to base their premiums and policyholders have the burden of proving what was actually loss during a breach. If a server is hacked and taken out of commission for 24 hours, what is the actual loss to the company? Is it the cost of restoring that server? Is it the lost transactional business? Is it the lost reputational value to the business?
What if the box is an Exchange server and not an e-commerce server? What if the only thing lost is e-mail connectivity for a day? What is the value of those communications? And how could an insurance company possibly compensate a policyholder for those delayed messages? Yes, delayed, since most of those messages will likely reach the users once service is restored.
These are thorny issues facing insurance companies and their policyholders. Is there a place for cybersecurity insurance? Absolutely, but we need better data and valuation metrics to know what we're insuring and what we're entitled to if we're ever breached.
What is your experience with cybersecurity insurance? Send your thoughts to firstname.lastname@example.org.