Super Viruses Complicate an Already Difficult Team-Building Endeavor; Insurers Continue to Get That Uneasy Feeling
This story is part II of an ongoing series of reports focusing on the growing issue of insurance and cyber security. Click here to review Part I.
By Bob Felton
Even as relationships among manufacturers, their IT departments, the federal government and insurers grows ever more complex under the influence of ever-evolving privacy legislation, emerging cyber threats, and case law, insurers worldwide are growing uneasy before the prospect of a new generation of Stuxnet-like super viruses capable of targeting and destroying or, perhaps worse, appropriating, manufacturing control systems.
[private]A headline at the Commercial Risk Europe Web site sums it up nicely: German risk managers fear computer worm Stuxnet.
“And the attack has caused observers to ask if such cyber threats are a new kind of warfare. According to (Hans-Jürgen Allerdissen, Head of Deutsche Verkehrs-Assekuranz-Vermittlungs-GmbH, Deutsche Bahn’s risk management company), Stuxnet is not comparable to any other IT threat seen in the past.
“The fresh onslaught comes at a time when insurers are generally showing a restrictive attitude towards IT risks.”
Broadly, there are two types of risk for which a company may need protection. The first is a breach of privacy data, requiring client notifications and, depending upon the relevant law, indemnification. The second risk, no less worrisome and vastly more difficult to measure, arises from operating losses or actual destruction of hardware and data.
But even as insurers rethink their posture with respect to protecting against some classes of cyber risks, evolving security strategies point toward them as allies able to apply market forces to encourage better practices and better reporting of breaches as devices for reducing premium costs.
Take a look at comments made by the Internet Security Alliance (ISA) in response to a NIST plan to study cyber-security economics:
“To the extent that companies must report losses to their insurance carrier who will take into consideration such losses when establishing future premium levels, the existence of a robust insurance industry will provide market place incentives for companies to provide information about security breaches, losses and investments as well as provide incentives to take action to reduce such breaches, losses and investments.”
Presently, says ISA Executive Director Larry Clinton, “In the world of cyber security, all the [financial] incentives are with the bad guys.” ISA proposes a public/private alliance akin to that used to build-out the nation’s electric grid as a means to reverse those incentives, with these provisions:
• Requiring federal contractors, and their subcontractors, to have cyber insurance. This automatically increases demand, luring insurance companies.
• Capping insurance company’s liability; in effect, for the federal government to agree to serve as the insurer of last resort. This, Clinton points out, diffuses risk rather than concentrates it, because “Currently, the federal government is carrying all the risk.” In the event of a cyber hurricane, that is, the federal government will have no choice but to ante up, as in the case of the economic bailouts of the past few years. When federal guarantees draw insurance companies into the security matrix, with a portion of their receipts escrowed for funding protection against future catastrophic events, the result is the insured companies and their customers ultimately fund the protection rather than Uncle Sam.
• Presently, antitrust laws prevent businesses from sharing information that will set prices. ISA recommends making an exception to permit insurance firms to share and compile data for actuarial purposes. A company has its own data, for instance – but has no way to measure the experience of its clients against the generality of clients. Sharing data will permit insurers to better assess risk writ large, and help to spot problems amongst their own clientele.
A New Era
Meantime, businesses just awakening to the need for insurance remain uneasy at the prospect of permitting underwriters to take a too-close look at their computer systems and unsure what products they actually need. Policies that offer help avoiding losses hold especial appeal.
A market survey from Betterley Risk Research illuminates the uncertainty nicely:
“We asked about the Two Most Important Coverages in a cyber policy; there were clear distinctions between the insureds and those not yet covered. The uninsured did not see Fines and Penalties coverage as being as important as did those that already have coverage. This may be a function of product knowledge; the uninsured are not as knowledgeable as the insureds.
“Policies that include services to help avoid losses and those that minimize losses that still occur were very attractive, especially to those not yet insured. This indicates that the availability of services could be a strong but underutilized selling point. Brokers should make more of an effort to educate their prospects about the availability and value of these services in cyber policies.”
So, even as new classes of engineered viruses make insurers wary of deepening their commitment to some parts of the market, a growing number of companies are for the same reason increasingly interested in insurance.
In connection with privacy breaches, business is good and getter better, says Rick Betterley. “Cyber’s just been booming the past few years,” and “the insurance industry is putting a lot of attention on this product opportunity.”
Most Breaches Avoidable
In connection with attacks that might cripple a business, as Stuxnet appears to have setback the Iranian atomic program, assessing actual risk is difficult and insurers are wary. Addressing their concerns, Clinton is quick to point out, is exactly what ISA’s proposed legislation will do. He is quick to add, too, the overwhelming majority of data breaches are preventable by enforcing enterprise-wide, good-practice security measures urged by experts almost universally.
A joint-study conducted by Verizon and the U.S. Secret Service, for instance, found 94% of the breaches they investigated could have been prevented. With market-based incentives, he argues, insurance companies are exactly the party best situated to impose that enforcement.
Though uncertainty and hesitation may be the rule as the big corporate and public-sector players try to sort through the complexities of their individual needs, exposures and liabilities, neither vandals nor thieves are so punctilious.
On Wednesday, December 8, a global attack by “hacktivists” annoyed by several government’s actions against Wikileaks temporarily shut down the MasterCard and Visa Web sites. Late in the day, many of the sites from which the attacks originated were themselves knocked offline.
Complicating matters is the sense by some that attacks by Stuxnet, and similarly focused viruses in the future, and the activism and counter-activism in connection with Wikileaks, are not mere criminality, but acts of war:
[Hans-Jürgen Allerdissen, Head of Deutsche Verkehrs-Assekuranz-Vermittlungs-GmbH] is worried that insurers may increase rates or else be tempted to exclude cover for damage caused by Stuxnet and its so far unknown ugly relatives. “I am concerned about the fact that governments or governmental organisations developed such hazards for others,” he said.
And the attack has caused observers to ask if such cyber threats are a new kind of warfare.
To merely pose the question is to underscore the gravity of the threat, and the need to proactively erect a defense. Clinton is optimistic the legislation he proposes will be drafted this year. “We as a nation,” he says, “cannot afford to not afford to make the investments that mitigate the risk.”
Bob Felton is a freelance writer based in Wake Forest, NC.[/private]