Cyber-Insurance Metrics and Impact on Cyber-Security

From Cybersecurity Wiki
Revision as of 13:50, 19 August 2010 by WikiSysop (talk | contribs) (→‎Full Citation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Full Title of Reference

Cyber-Insurance Metrics and Impact on Cyber-Security

Full Citation

Larry Clinton, Cyber-Insurance Metrics and Impact on Cyber-Security, Internet Security Alliance (undated). Online paper. Web

BibTeX

Categorization

Key Words

Disclosure Policy, Information Asymmetries, Interdependencies, Risk Modeling

Synopsis

This article analyzes the benefits of cyberinsurance over government regulation and discusses problems in the current cyberinsurance market, and suggests a role for government in encouraging data sharing of risk information and providing safe harbors.

Overview to Cyber-Insurance

Cyber-insurance is defined as an insurance product used to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. The paper goes on to describe the benefits of cyber-insurance. Basically, Cyber-insurance increases cyber-security by encouraging the adoption of best practices. Insurers will require a level of security as a precondition of coverage, and companies adopting better security practices often receive lower insurance rates. This helps companies to internalize both the benefits of good security and the costs of poor security, which in turn leads to greater investment and improvements in cyber-security. The author then argues that cyber-insurance has a number of advantages over governmental regulation as a means for improving cyber-security, but also outlines that the market for cyber-insurance is adversely affected by a number of problems that he identifies, such as a cyber-hurricane‟ – a major disaster resulting in great number of claims.

Legislative Solutions

According to the author, given the public policy benefits that come with widespread adoption of cyber-insurance and the current obstacles to the widespread creation and adoption of cyber-insurance, the federal government should act in order to help counteract the current market failure in the cyber-insurance market. The federal government has a number of measures at its disposal that it may use to improve the market for cyber-insurance, and by doing so help shore up domestic and international cyber-security:

  • Federal Purchasing Power: The federal government can promote the use of cyber-insurance with its strong position in the marketplace, by requiring government contractors and sub-contractors to carry cyber-insurance.
  • Cyber Safety Act: The federal government can promote cyber-security efforts by creating a Cyber

Safety Act that provides safe harbors or other limitations on cyber-security liability, contingent on reasonable efforts to conform to best practices.

  • Encourage Information-Sharing: The federal government can promote the sharing of cyber-security information by establishing an antitrust exemption to allow insurers to pool data on vulnerabilities and attacks.
  • Federal Government as a Reinsurer: The federal government can increase the supply of cyber-insurance by providing reinsurance to cyber-insurance companies for a limited time.

Standards of Due Care for Network Security Risk

Clinton says that the insurance industry is in a uniquely motivated to understand and communicate to its insureds what are the standards of due care appropriate for the management of network security. The reason for this is simple. Only the insurance industry has "skin in the game". That is to say, in the event of a loss it is the insurance company that will pay, excess of any self-insured retention, any damages to third parties as well as reimburse the policyholder for any loss of business and additional expense associated with the event.

Recommendations

  • Require government contractors to carry cyber-insurance. Doing this would improve cyber-security among government contractors, with a chance that private industry would adopt a similar requirement, resulting in high cyber-insurance coverage rates and a corresponding increase in cyber-security generally. The regulatory burden of added by such a requirement would be minimal, and the cost to the taxpayer would most likely be low.
  • Create a Cyber Safety Act that provides safe harbors or other limitations on cyber-security liability, contingent on reasonable efforts to conform to best practices.
  • Establish an antitrust exemption to promote the sharing of information and data relating to cyber-security. This actuarial data would allow the risks and benefits of a particular cyber-insurance policy to be calculated more accurately, allowing insurers to charge lower premiums and allowing and making cyber-insurance more attractive to risk managers. There would be no associated cost to the taxpayer.
  • Consider a measure aimed at reducing the fear of a "cyber-hurricane‟ among insurers. The two best options for doing so are providing backstop reinsurance for cyber-insurers, and offering a tax deduction encouraging insurers to increase the capital reserves used to pay out cyber-insurance claims.

Additional Notes and Highlights

Expertise Required: Economics - Low; Law - Low

Outline:

 Overview to Cyber-Insurance
   What is Cyber-Insurance?
   The Benefits of Cyber-Insurance
   Advantages over Governmental Regulation
   Problems with the Market for Cyber-Insurance
 Legislative Solutions
   Federal Purchasing Power
   Cyber Safety Act
   Encourage Information-Sharing
   Federal Government as a Reinsurer
   Insurance Underwriting
 Standards of Due Care for Network Security Risk
   General risk of exposure based on company industry and size and business activities
   Loss History, Years in Business and Financial Condition
   Third Party Exposure and Outsourcing
   Network security quality
 Recommendations