Information Security Breach Insurance: Is it Working?
A recent SANS NewsBite item covered how Colorado Casualty Insurance Co has denied a data security breach insurance claim for USD 3.3 million. The claim was based on a 2008 incident in which backup tapes with data pertaining to approximately 1.7 million medical patients from University of Utah hospitals were stolen in route to a storage site operated by Perpetual Storage. A Perpetual Storage employee had left the tapes in a car and later reported that they were missing. The storage service provider had bought an insurance policy to insure against costs from data security breaches.
Unfortunately, this kind of story has become all too common. Those of us who are information security professionals are very aware that information security breach insurance is a possible strategy for information security risk management. But this strategy appears to not be working very well. The problem is that insurers too often deny information security insurance claims, or if they accept the claim, they tend to pay much less than the insured organization has claimed. Why? The major reason is the fact that asset valuation is anything but an objective process. A piece of intellectual property that a company has deemed to be worth millions may seem like nothing to others, including insurance carriers. I firmly believe that if asset valuation were to become more precise and objective, cybersecurity insurance would work much better for organizations that choose to go this direction.
You may remember the name Jay Libove, a much respected IT and IT security professional with whom I frequently exchange ideas. With his permission, I am presenting you with his take on the situation:
Yes, asset valuation is one of the big problems. Maybe even worse is the insufficient availability of actuarial statistics about how likely the risks are to come to pass…
For example, a few years ago we were compelled by our insurance company to update all of the electric light switches and sockets in an early 1970s condominium because the electric wiring (which had been in the walls for all of those years) is aluminum. Over decades, the insurance industry has collected enough information to suggest that some teeny tiny percentage of homes with aluminum wiring will experience fires, due to the higher heat coefficient of expansion of aluminum compared to the modern building material for such things: Copper. And since they have accurate statistics on how often such fires happen, and reasonable estimates as to the damage each fire causes, they made the decision to force all homeowners of buildings with aluminum wiring to invest $thousands, or else the insurance would be non-renewed.
Looking at data breaches and information security threats… we can’t look at an information system and say “Oho! That information system has the code equivalent of aluminum wires!” Well, actually we can, for about 10,000 different kinds of aluminum and 25,000 different kinds of wires. But what we can’t do is reasonably say “I see no aluminum wires, so I think your risk is acceptably low, and therefore I’ll offer you insurance which might actually have to pay out in the $hundreds of millions for any annual premium which I have the faintest idea how to calculate”.
Indeed, there is now cyber risk coverage available. For the insurers themselves it’s a high risk game, as they know that they as-yet lack adequate statistics .. but they feel that they’re getting there.
And it is one of the great hopes for setting a “commercially reasonable” floor for information security – because once such insurance is broadly available, it will become a commercially *UN*reasonable practice to *NOT* carry that insurance. And so everyone will have to meet the security standards mandated by the insurance industry.
Jay may very well be right. In the meantime, the only advice concerning information security breach insurance is caveat emptor. Perpetual Storage had to learn the hard way. Not surprisingly, this company dropped its insurance policy with Colorado Casualty Insurance Co. shortly after its claim was denied. If insurance companies do not typically honor claims made when incidents occur, what good does insurance do, anyway?