Cybersecurity insurance may push companies to better security

Cybersecurity insurance may push companies to better security

Summary: Cybersecurity insurance is probably a requirement now for a business of any import, and the insurers are looking in on customers to try to prevent breaches.

TOPICS: Security

You'd think that the need to use best security practices would be self-evident to any executive by now. Unfortunately, they have a lot of priorities to juggle and the consequences of a major breach are hard to grasp until you live through one.

Even if they don't understand the need for all the security measures they should be taking, businesspeople understand what insurance is, and as a result cybersecurity insurance is a rapidly-growing business. As the Department of Homeland Security says, such insurance " designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage." It may also cover regulatory fines and costs of coming back into compliance with various regimes and certifications. There are significant potential costs it doesn't cover, like loss of intellectual property, which is a particularly nasty risk to price.

I spoke with Stephen Boyer, Founder and CTO of BitSight, which consults with insurers on their cybersecurity policies.

They do a lot of the same work that security research and consulting firms do, but for insurers one thing they do is to test the security posture of insurance policy holders. The goal isn't just to find out what's wrong with a particular company — although they do that and pass it on to the insurer, who passes it on to their customer — but also to develop systematic methods of risk analysis.

Insurers have old, tried and true ways to rate the risk of customers for more conventional forms of insurance, like homeowners and professional malpractice, but cybersecurity insurance is both new and increasingly competitive. It creates an uncomfortably risky situation for the insurers themselves. The "data-driven risk management" BitSight is working on, explained by Boyer in a recent webinar, might help insurers to price the risk more accurately, and this will be better for everyone (at least in the big picture).

They know a few things about risk profile generally; for instance, once companies experience a breach, they take the measures to prevent them far more seriously. The hard part is preventing that first breach. Most of what insurers know about companies comes from self-assessments which, like PCI assessments, often are more reflective of wishful thinking that of facts on the ground. (Apparently they are termed "aspiration al" in the business.)

A great way to rate companies accurately would be to pen-test them, not just on application, but periodically and without warning. This is far too expensive for an insurer to require as a matter of course, although a company which performs such tests on their own undoubtedly qualifies as a better risk.

Instead, BitSight partners with other security intelligence firms to analyze intelligence world-wide for signs of problems for customers. For instance, if a computer on the network of one of the insured companies is observed connecting out to a known C&C (command and control) server, it's a pretty good sign that there's compromised system in that customer network.

Boyer says about one in three companies has a policy like this. While it has the potential to decrease risk for customers, insurance also has the potential to induce "optimism bias," i.e. the sense that you don't have to worry about the problem as much because you have insurance. This is plainly a stupid attitude — do you drive recklessly because you have auto insurance? — but it happens.

But insurance can help to bring about the normalization of this business, make the sloppiness of such thinking more obvious to everyone, and the result might be that everyone's security profile rises as a result.

That would be good.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The market tends to reward corner-cutters in the short term.

    This is true in all industries, and it is the reason why we have government mandated safety features in cars, aircraft, etc; whatever is spent VOLUNTARILY by one competitor to increase safety, UNLESS it is so obvious that customers are willing to pay more for a product or service to get it, hurts the bottom line when other competitors are willing to take more risk and thus produce things at lower cost (this also applies to employee benefits, pollution control, etc.). Only when regulations are made and ENFORCED, to the extent that cutting corners is more risky legally than it is profitable, will the "good guys" be able to compete with the "bad guys."

    In terms of cybersecurity, this means that, unless there are mandatory tests, and an independent way of publishing the results outside of advertising (like the newspaper column and TV news segment that highlights the worst offending food serving businesses every week), neither customers nor senior management really knows how secure a network really is. Add to this the fact that, except for the most obvious precautions (such as the bank ads that show cardholders being alerted about a purchase in Pakistan when the cardholder is not), the details must be kept secret, and we have a tough problem.

    If all legitimate business holders practiced safety all the time without being regulated and inspected (those "burdensome regulations"), sugar refiners and fertilizer plants wouldn't explode (as in Georgia a few years back and Texas more recently), cars wouldn't lose power or brakes suddenly, holiday shoppers wouldn't have their personal info stolen from their favorite store's checkout systems. At least much less often.

    (As for the sugar refinery, sugar has 18 kilocalories per teaspoon; a few tons of sugar has millions of kilocalories, and when sugar dust is in the air, a spark can cause all of them to go up very quickly.)
    • Very True

      I was working with some executives who had a really bad attitude. They thought that the primary concern should be the business need, getting from point "A" to point "B", as quickly as possible and security, while nice to have, should be ignored until later (meaning, "never"). As Larry pointed out, that means they will never do anything about security until after they have a breach and, with CJIS data, after the FBI comes to pay them a visit. Even then, it would only be a matter of time before things are 'back to normal'. People don't like to deal with "ARMS":