Sheep vs Cyber-Insurance

The many ongoing, successful cyber incursions have facilitated unprecedented levels of unauthorised access to sensitive materials, and are now leading to other forms of the related exposure.

With this in mind it seems to make very good sense to turn to the instruments of cyber-insurance to offer an additional level of protection to your organisation – albeit in the negative reactive mode. But then I am left wondering if such a desired level of protection offers what would be a calculated approach to provisioning the expected level of robust cover. So I would like to look to the green fields, and consider the associations of sheep.

According to the UK’s NFU Insurance company, rural crime, and in particular the theft of sheep is running at an all-time high – and naturally in this field, the instrument of calculated and adequate insurance cover is a critical consideration for any farmer who wishes to protect his or her assets and livelihood.

So based on a known calculation of the known goods (e.g. sheep] the farmer seeking cover will make the application for adequate cover to facilitate the correct level of robust protection for said assets (remember those sheep]. Thus at time of damage, or loss/theft occurring within the T&C’s of the established contract, a claim may be submitted, and post successful review, hopefully compensation will be forthcoming to cover the encountered loss.

So here as we are dealing with an exact number, based on a known financial calculation of exposure, and we may thus safely assess the outcome with a high degree of probability. In fact, it’s not just about sheep of course, as this same theory of offset protection applies to other tangible entities such as home, contents, and car insurance – all of which are based on a known fact and an associated valuation.

Ensuring Adequate Cover

Now when we consider the world of cyber-insurance there is a quantum shift away from what may be a case of calculated knowns that exist with other forms of tangible and conventional insurance, and tend to move into the world of the unknown eventuality of a claim post cyber-attack or compromise.

The problem is, just how does a business ensure that the monies they are investing to provision an adequate level of cover? And just how effective is such cover based on how the provider is assessing the associated risk, based on the applied calculated assessment of what is the unknown?
 
Having been on the receiving side as an applicant for cyber insurance, I was amazed at just how agreeable the insurer was to accept what were both negative and dangerous levels disclosure, which confirmed past multiple events which impacted with the incidence of malware, through to a successful compromise of an inner-company network segment – all of which were considered acceptable, and thus the said policy was issued in very quick time.
 
I have also been concerned as to the on-boarding process which is applied by some large brand providers, and agents who spend the minimal amount of time on a tick-box assessment (there is that ‘tick’ again] to conclude with the successful issue of what can be a very expensive validated policy. Meaning that, as with many other forms of insurance, if at some later stage, usually during the claim process, if the responses are found to be inaccurate, the chances exist which may not hold the policy as valid (here I am comparing many of those known cases involving critical health cover].
 
It may be however that if an applicant does look to present a very high risk, the insurer may still wish so proceed at the right price, but with a policy which over-compensates in weighted favour of the provider - as long gone are the days in which I was told, ‘excessive risks could be offset by excessive fees which could be reinvested on a lucrative market offering a guaranteed and maximised return on the investment’ – thus reducing the actual surface of exposure.
 

Preparing For Impact

From another angle we may well look to some recent events —such as Sony through to the debacle involving Ashley Madison — all of which were of course unpredicted, unknown, with some instances exhausting their cover; or with the implication of the cover not having deep enough pockets to cover all manifestations loss.

But all that said, I am not saying that cyber-insurance is a bad thing – what I am outlining is, given the fact that a successful long-term breach could implicate (and has] multiples of millions of end-users spread across the globe, not to mention the association of those third parties and associates, the facts of the matter are, if the cover has been based on an unqualified assumed state of security, resulting in an imperfect calculation based on an unknown level of expected exposure, there could be a considerable shortfall in anticipated compensation post an event.
 
My conclusion here must be - if I am to recommend such insurance cover to a client, I would advise them to look to any evidenced like-for-like successful security breach in a company of a similar profile, and then confirm the totality of the expected cost, and then add 20%. Based on such a semi-known level of input criteria, present the application for cover to the potential provider, and await to see the price tag. It may be that you are be pleasantly surprised, or will look to other providers, or you may even consider applying some other compensatory controls to realise a saving – unless that is you have an open cheque book.
 
The problem with a risk based approach of course is, where there is existence of a low probability, the acceptance of the risk may look very attractive – that is of course until such time as the ‘Impact’ comes home to roost – then it is time to think again, and to apply a new model.

What’s Hot on Infosecurity Magazine?