After the Breach (Part 2): Cyber-Insurance?

APTs and cybercriminals are in the news again with more end-of-2014 breach statistics emerging from the analysts. Here’s an update of my After the Breach (Part 1) post with links to some of the latest information, and a new take on a table showing large U.S. data breaches over a 10 year period.

Key: The red lines indicate credit card or social security number data was lost. Orange lines variously indicate breach of encrypted financial information, non-financial personal information, passwords and related information, but not credit cards.

A new catalogue of breaches from 2014 just came out from Riley Walters at the Heritage Foundation. This highlights many smaller events that occurred this year, and some larger attacks involving an effective denial of service that aren’t covered in the typical breach roundup.

Check out the bottom table from the Bloomberg article that inspired my figure above. I hadn’t noticed this before, but if you scroll down and mouse over the data in Bloomberg’s lower “data breaches over time” table, hundreds of references come up. And if you click on “by cause” at the top of the table, you’ll see that the vast majority of the breaches are caused by malicious outsiders, accidental loss and physical loss.

The Heritage article takes every opportunity to cite “China.” The NSA also gets into the act with the announcement that Foreign Powers Steal Data on Critical U.S. Infrastructure. Not just China, but Russia and an unnamed third power too.

Gotta love FUD, and it may be so. But when it comes to financial data breaches our main concerns are cybercriminals and our own incompetence, not nation states or APTs.

Can a Business-Like Approach to Risk Management Get Breaches Under Control?

Many large breaches suggest an “out of control” picture, but I think that together business executives and security professionals can make progress gong forward if they take a more business-like approach to risk management. In the coming weeks, I’m going to focus a lot more on governance. But in this post, let’s talk risk transfer – or specifically, insurance.

In my article, Cyber-Insurance: A Market-Based Approach to Risk Management, I suggest that although insurance has its problems it can provide strong financial signalling up and down the financial, fiduciary and organizational hierarchy to drive the kinds of behavior that actually reduce the risk of expensive breaches.

Change is required. According to Fred Cohen of Fearless Security, if you take a list of the big retail box stores and ask many have been hacked in the last year, and how much was taken:

I think about six large retailers have been hit for more than seven million people’s credit card data in the last year. Out of the top 24 big box retail stores, this means a 25% chance of losses in excess of $50 million (assuming only $8 per credit card replaced). At $50 million in insurance payout per store, the risk pool would have to pay an average of $250,000 per million in insurance premiums for insurers to break-even, or for $50 million in coverage, premiums of $12.5M per store.”

I haven’t checked Fred’s numbers, but I know that he took the Heritage article (and perhap other sources) into consideration. Fred and I along with Ridge Global Security are all involved in a cyber-insurance initiative. But Fred’s quote leaves me wondering how cyber-insurance can live up to its promise if the premiums have to be so high. Here’s some ideas:
  • Strict requirements on the insured company’s security programs can limit the risk of breach, limit the insurer’s risk of paying out, and justify a lower than average premium.
  • Security assessments can help insurers judge the risk of a breach for a given company, thus driving premiums, terms and the decision on coverage.
  • Over time, actuarial data collected from assessments, incident or breach reporting and root cause analysis can refine the insurability assessment criteria, requirements for ongoing coverage and policy limitations.
Whether this works or not is a question whose answer can only play out of over time. But its more than a theoretical question, as I’ll describe in an upcoming post on “A Corporate Experiment in Cyber Self-Insurance.” 
What do you think? Why then, do we keep experiencing breach after breach? Are we proposing too many controls? Are they too hard to implement without errors? Can we hone it down to a smaller, but more effective set of controls? Or do we just need better governance?

If all this leaves you (understandably) wondering what to do to prevent a breach, please go back to these previous articles, which closed with a number of recommendations.

Subscribe to Blog Notifications...  HERE