Does cyber insurance make us more (or less) secure?

Underwriting cyber risk remains more art than science, but in the absence of regulation, cyber insurance might still be the best hope for improving cybersecurity practices across the board — at least for now.

1 2 Page 2
Page 2 of 2

Quantifying cyber risk

Insurance is all about the data. In a perfect world, if you knew exactly how often Bad Things Happen, you could perfectly predict how often any given company might suffer a Bad Thing. The result would be fair insurance premiums that spread the risk across a large pool of companies, to the betterment of all society.

Alas, that is not the world we live in — at least, not yet.

To make things worse, even if you had a complete set of data for every cyber incident for the last 20 years, it wouldn't make measuring risk much easier, as threats are constantly evolving. The holy grail for cyber insurance carriers, therefore, is real-time data about today's threats, to anticipate threats just over the event horizon.

In pursuit of that goal, over the last several years companies like FICO, BitSight, SecurityScorecard, and risk modeling companies like AIR Worldwide and RMS, have begun researching how to quantify the problem in real time. Many scan the entire IPv4 address space once a week, web-scrape SEC filings looking for breach notifications, analyze who is using what cloud provider, and so forth. Several sources told CSO they welcomed the advent of the GDPR breach notification law as a way to acquire more and better data to model cyber risk.

"What I hope is that insurance companies will figure this out in an objective, justifiable way what kind of security controls work and which don't," Romanosky says. "Everyone would like to see something objective and quantifiable, it makes everyone's life easier. We all have this sense that if we could turn everything into a score, it would be easier for us to decide and to rank things."

These efforts to quantify cyber risk focus on uncovering correlations between a company's public-facing security posture before and during a security incident, and compare breached companies with those that have not (yet) suffered a breach. Correlation is not causation, of course, but at macro scale in the insurance business, correlation is sound actuarial science. It's all about the statistics.

Turns out there is a significant difference between companies that have suffered a breach and those that have not, Clare says. "The FICO enterprise security score is essentially a machine learning model trained against examplars — several thousand breached organizations and many more thousands non-breached organizations," Clare says. "We look objectively at the problem, and we associate what we can observe in terms of internet-facing network assets against a corpus of breach exemplars."

FICO, of course, are the same folks that do consumer credit scores and have been around since 1956. A few years ago, it decided to get into the cyber game and bought QuadMetrics, one of the most respected startups in this space. QuadMetrics emerged out of the University of Michigan with initial funding from the Department of Homeland Security.

Just as a credit score might look at factors such as paying your bills on time, or current salary, or employment history, a FICO security score also looks at several dozen features, what Clare says are indicators of security "sloppiness."

While Clare emphasizes that the machine learning features FICO uses are proprietary, he gave CSO three examples. Poor certificate management, such as expired TLS certificates, or use of self-signed certificates, is a red flag, and suggests substandard security practices. Compromised endpoint devices sending spam are likewise an indicator that something might be amiss. Running a public-facing NTP server is also a sign a company may have sloppy security practices.

"Unless you're trying to serve time to the internet, why do you have an NTP server that responds to a ping?" Clare asks. "What else are you exposing that you shouldn't be exposing to the internet?"

While an exposed NTP server might never be the cause of a breach, it is, Clare says, representative of a company's security posture. "If you're not cleaning that stuff up, and don't even know you have it, what else don't you know?"

Security scoring metrics are one of the major trends developing in cyber insurance today and make possible cyber insurance at scale. "You might be able to [use questionnaires] for a handful or a few dozen of your very significant clients, the top 100, or the top 200 clients of yours, but how do you scale it?" Christos Mitas, vice president of model development at RMS, asks. "If you're trying to target the small and medium enterprise market, there's not an easy way to do that."

Drawbacks of security scores

Everyone in the cyber insurance business seems to agree that security scores in combination with subjective questionnaires are superior to questionnaires alone, but security scores have their own drawbacks. "It's kind of like assessing your house by looking at a picture of the outside," Romanosky says. What if the basement is flooded, or the kitchen needs to be remodeled? An attractive exterior could hide severe structural issues.

A company that knew, or was able to guess, what external factors underwriters are looking at could, in theory, game the system by just fixing the public-facing bits that affected their insurance premiums, and not bother to secure the rest. As a result, what security metrics companies really want is a look inside the house, Scott Stransky, assistant vice president and principal scientist for AIR Worldwide, says.

"AIR is part of the Verisk family," Stransky says. "They have a team on the property side, and what they do is literally go around from business to business and they go inside the business in the physical sense. They inspect the sprinkler system, the elevator, the server rooms. Now we know all about that building."

Verisk uses this data to model fire risk, among other things, for example. In a similar way, Stransky suggests, the future of cyber risk modeling might be an inside look at an enterprise's network and systems. "Can we stick this flash drive into your system?" Stransky suggests AIR might one day ask clients. "If you do this, we're able to give you discounts on your insurance."

Quantifying cyber risk for any given company is a hard problem, but what really keeps people like Stransky up at night is the interconnected, and interdependent, nature of the internet. A key strategy of insurance carriers is to diversify their risk portfolio — if every insured company gets hit by an attack at the same time, the resulting claims would bankrupt the insurance carrier.

Worse, if the insurance carrier itself faces the same risk as their clients, that's a recipe for disaster. "We do have a real problem with cyber insurance's ability to not carry the same risk it is insuring," Éireann Leverett, founder and CEO of Concinnity Risks, tells CSO. "If you insure against floods, you don't want your headquarters in New Orleans. You don't want to be a victim of the same risk you are insuring against. How does someone insure against cyber risk without potentially being at risk of a cyber event themselves?"

The increasingly centralized dependence on cloud providers, in particular, has a lot of insurance carriers worried. An attack, or an accidental failure, of a top-three cloud provider could cause widespread outages leading to billions of dollars in losses within a few days, a joint report by Lloyd's and AIR concluded earlier this year.

What happens if AWS goes down?

Insurance wonks talk about "cat risk," short for catastrophic risk. Insurance carriers themselves have insurance — so-called re-insurers — and at a macro scale, re-insurers are thinking out loud about how to mitigate cat risk in the cyber insurance market.

In a report entitled "Cloud Down," Lloyd's of London and AIR Worldwide examined the systemic risk posed by widespread reliance on centralized cloud service providers, especially Amazon's Web Services (AWS), which has more than 30 percent of the cloud provider market as of this writing.

"Given the state of the cyber insurance industry today," the report concludes, "a cyber incident that takes a top three cloud provider offline in the US for three to six days would result in ground-up loss central estimates between $6.9 and $14.7 billion and between $1.5 and $2.8 billion in industry insured losses."

That kind of systemic risk is like if you only insure houses in South Florida against hurricanes. If a hurricane destroys all those houses, your insurance carrier goes out of business. Likewise, if all your customers use AWS, and AWS goes down, your insurance carrier might go bankrupt trying to pay all those claims at once.

"Security breaches are bad, but tend to impact one company at a time," Stransky says. "Limits are relatively low, insurers can handle payouts like that. On the other hand," he points out, "with business interruption, now imagine a major cloud provider like AWS failing. Now it's not just one company being impacted; it's multiple companies that rely upon that cloud."

The report emphasizes that both accidents and malicious adversaries could take a cloud provider offline and disrupt business for the cloud's customers. The report cites the April, 2011 AWS outage that cascaded across multiple availability zones in Amazon's U.S. East region.

Even more terrifying than cat risk is the worrisome cocktail of moral hazard and cat risk combined. If everyone passes the buck, and nobody does the hard work to secure all the things, then we face potentially catastrophic consequences, not just for shareholders, but for society as a whole.

Worse, companies acting in good faith, who perform their due diligence, who purchase cyber insurance to transfer only residual risk, who consider cat risk and deploy adequate redundancies, working their hardest to do the right thing could still be severely damaged by a nation-state attacker. Dealing with incompetent enterprise security is a solvable problem, given appropriate regulatory and fiscal incentives. Dealing with nation-state attackers determined to engage in espionage or sabotage is a different kind of problem entirely.

How, if at all, can cyber insurance deal with the risk of cyber war?

Insuring against cyber war

Crack open a typical consumer insurance policy, and you will notice that your car insurance does not cover acts of war or terrorism, among other standard exclusions. When it comes to cyber risk, however, any enterprise doing anything remotely interesting has nation-state attackers in their threat model. Such adversaries may want to steal intellectual property, or spy on international trade deals, steal customer databases for espionage purposes, or even disrupt business operations.

"A big topic of interest in cyber insurance are exclusions," Clare says. "Do the customers— the insured — understand the exclusions? Are they appropriate? Should they be pushed back on? That's an open debate and constitutes something that's payable versus that's not payable."

Insuring against the background noise of the internet — automated attacks like Conficker, easily mitigated XSS or SQLi attacks, and so forth — is one thing. Insuring against a determined human attacker with the resources of a nation-state is problematic, to say the least. Defending against an advanced persistent threat (APT) in the private sector is extremely difficult, and enterprises are asking insurance carriers for policies that cover cyber war. With some exceptions, most cyber insurance carriers are refusing to insure against such risks.

"War is not insurable," Mitas says.

Things get tricky in the cyber domain, though. What, exactly, is "cyber war"? If a foreign army invades and a tank crushes your car, it's clear your car insurance isn't going to pay out. The nebulous definition of what constitutes "cyber war" makes this less obvious. Most cyber insurance policies contain a war exclusion, but what does it exclude, and when does that exclusion kick in? The plausibly deniable nature of many possible acts of "cyber war" makes insurance carriers uneasy.

"Many [cyber] policies have a war and terrorism exclusion within them," Stanley tells CSO. "Of course, one of the challenges is that as soon as there is a cyber attack, you don't know who's done it. It could be a spotty kid in his bedroom, or an Eastern European gang, or the North Korean cyber army. Even if you think it is them, the first thing they are going to do is deny it. So that is definitely a challenge."

Not everyone agrees that cyber terrorism is uninsurable, however. Leverett compares malicious actors online to piracy in the days of sail. "Piracy didn't go away, but global trade on the high seas became safer and safer over time," Leverett says. "The insurance business played a role in that. In some cases, insurers would hire former pirates to come and live in London and tell them how piracy worked. Once they even installed a pirate as a governor of one of the West Indies islands."

Nation-state hackers can do more than sink a ship or two, though, and can create chaos at scale. A common, but by no means universal, exclusion denies claims based on damage to physical property or loss of human life. For instance, an act of "cyber war" that destroyed a business-critical database might be covered, but an act of sabotage by a foreign power — attributed or not — that causes your factory generator to explode, destroying the facility and killing employees, might not be covered. "It's an open question still, and quite worrisome for the whole industry," Mitas says.

Is a "cyber 9/11" or Hurricane Andrew on its way?

When Hurricane Andrew smashed its way through South Florida in 1992, not only were the people of Florida devastated, so were their insurers. Too many insurance carriers under-rated the risk of such a catastrophic storm, and many of those insurance carriers went bankrupt. The hurricane was a wake-up call to the insurance market to re-assess how they modeled cat risk. We may be in a similar situation today.

Insurance carriers want to sell cyber insurance based on quantified risk, with lower premiums for enterprises that deploy strong security controls. That's the world we want to live in, but it's not the world we do live in today. How we get from here to there is less clear, and some insurance experts worry we may need to suffer a catastrophic loss event before we understand the true nature of the risk.

"Today if you live in Texas, you can get hail resistant shingling on your house, and if you do that, the insurer will give you a cheaper insurance policy, because your house is less likely to suffer a loss in a hailstorm," Stransky says. "Frankly the only way to get there is a major cyber event. We had to have Hurricane Andrew to understand hurricane risk. We hate to say it, but it will probably take a big event to shake up the market."

Such a catastrophic event, in an interconnected world, could cause a domino effect that would wreak havoc across the internet. In one blow it would bankrupt enterprises and insurance carriers, and throw the matter into the lap of the so-called "insurer of last resort" — the government.

The savings and loan scandal of the 1980s offers a warning. Savings and loans across the United States engaged in gross negligence, offering bad loans to customers who couldn't repay them. When those borrowers defaulted en masse, the savings and loans failed and went clamoring to the FSLIC — the government-run insurer — to be made whole. The resulting bailout cost American taxpayers more than $100 billion.

To avoid such a scenario, security professionals need to overcome their knee-jerk dismissiveness of cyber insurance, Leverett says. "Many hackers probably haven't read Ralph Nader's 'Unsafe at Any Speed,'" he says. "Reading about how that consumer rights activism changed an entire industry — the auto industry — and forced them into something more than compliance, which was actual liability.... I think that could happen here, if we put the right amount of pressure."

Copyright © 2018 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
8 pitfalls that undermine security program success