Something interesting is happening in security…we’re starting to see interest in “cyber” insurance from several interesting quarters. Ignoring whether the adjective “cyber” is appropriate, the fact that it’s on the table is a big deal. In some ways, it represents a coming of age of security and recognition of the importance of security and what it means to truly live and do business in a connected world.
The basics of insurance are quite simple: aggregate the statistical likelihood of incidents over a population, multiply it by the cost per incident to determine the payout, add in a profit margin and spread the “cost” over the population. For the members of that population, that means that if lightning strikes you in particular, you’re ok; and if it doesn’t, it’s a negligible cost. It’s really a straightforward set of equations, that could be expressed this way:
I highlighted the cost (C) and damage per incident (D) in red because these are what truly needs to be known for insurance companies to be viable and succeed in any market, cyber or otherwise. Oh, and here’s the tricky part, they have to be predictable. If C and D aren’t predictable and instead vary wildly, then the profit ratio has to grow to cover risk. In fact the second equation might instead look like this, where risk (r) has to grow proportionately:
In a world where you don’t know C and D, the rates per customer (R) get very high. The best way to limit this is to bound the cases where an insurance company might pay out and then get very good historical data to drive predictive models for future incidents. And there’s the rub: there isn’t enough of the right sorts of data at the moment in the right places for insurance companies to cover their risk affordably. The body of history (and the complete lack of case law on this) is daunting to insurance companies.
So as mergers and acquisitions are driving buyers to send those being bought to get cyber insurance and as new regulations are dictating “thou shalt have cyber insurance,” new policies are coming on the scene. What I’ve seen is CISOs at insurance firms suddenly being brought into business decisions. I’ve also seen the re-insurers start to ask about how to re-insure cyber insurance policies, and that’s when you know that you’ve hit the big time in the insurance world.
The actuarial tables are being built. The data is being sought, and frankly this is an exciting thing for security. For years, we’ve struggled as an industry to demonstrate business alignment to the rest of the company and to show business value. Well, this is the time. Do we know risk in IT? Sure. But do we know business risk like the insurance industry? Not even close.
Much of the security industry has proven to be iatrogenic, where it becomes undeniable in the microcosm that a particular control or process should be adopted; but in the bigger picture it becomes clear that our gear is making a mess. So much of security (as I discussed in the last blog) could be thrown away and wouldn’t only not reduce security but might also help it. I am particularly relishing the idea that a prescriptive regulation one day may come out and say “deploy control Y” at the same time as it requires cyber insurance, a policy for which might demonstrate the deleterious effects of a control and how removing “Y” might in fact reduce the C and D above (chance of and incident and damage from an incident).
And as more insurers build their tables and publish (as they are required) what factors drive their policies, we will get more transparency and understanding of the world of IT security and a real seat at the table where security belongs, mitigating business risk. To continue the theme of my earlier blog, the insurance industry (when it gets the data right and the tables built) may help us determine a natural spending period of tools and determine what to invest in and what to discard.
That’s a nice thought.
In the meantime though, I highly recommend that insurers bound cyber insurance carefully and truly understand that in a world of Human-to-Human conflict that there is no such thing as a “Hack of God.”