No security system is 100 per cent bullet-proof, according to common wisdom. There are limits to what security technology and processes can protect. So what can be done about that small but potentially devastating percentage that cannot be secured?
Some information security experts believe cyber-security insurance can cover those gaps. “We believe insurance will become an integral part of information security. It’s a good way to pool risk,” said Lawrence A. Gordon, co-author of the 2005 CSI/FBI Computer Crime and Security survey and professor of information assurance at the University of Maryland.
Although major insurance companies have been offering cyber-security insurance since 1999, only about 25 per cent of survey respondents use it to cover their risks, although the majority of respondents experienced breaches, with average losses of US$204,000.
One major factor inhibiting uptake is the disconnect at many companies between the IT department that manages the security systems and the finance area that purchases insurance.
“Many companies have good risk management programs but bad risk financing programs. Risk control duties are usually assigned to IT departments, who do a good job, but they don’t think about getting insurance. It’s not within their mindset,” said Nick Economidis, product manager of netAdvantage, a cyber-security insurance suite offered by insurance company AIG.
On the other hand, the finance area is responsible for buying insurance but doesn’t have detailed knowledge of information security risks. Traditional property and casualty policies don’t cover intangible losses. For example, a denial of service attack will not be covered, as no physical damage to computer systems occurs. And some computer crime policies may cover direct losses from hacks, but may not cover loss of business income or data.
“That’s where a learning process comes in. Finance people have to understand what the risks are and why traditional insurance policies don’t cover them. That becomes a very technical insurance discussion because you need to get into the nitty gritty of the insurance language,” said Economidis.
If you ask a CIO and CFO if their company is protected against cyber-security risk, the CIO will likely interpret the question to mean technically protected, whereas the CFO will assume it means financially protected, said Gordon.
“Finance people look at security in terms of economics and cost-benefit analysis, but IT people are not trained in this area,” he said. For example, a CIO might approach a CFO for increases in his security budget, saying an extra $1 million can decrease the number of security incidents by 10 per cent. The CFO’s immediate reaction will likely be to ask how hat translate into dollars. If estimated losses from the number of security incidents prevented only total $500,000, it is not a good investment from the CFO’s point of view.
But IT people often retort that information security can’t be put into an economic model. You can’t observe the value of the security you’ve gained. “That’s exactly what everyone used to say about information technology 20 years ago, but now everyone uses net present value models as a screening device for IT investments,” said Gordon.
He believes security can and should be viewed in cost-benefit terms. The concepts that can be used to bridge the gap between the IT department and finance areas are outlined in an article, A Framework for Using Insurance for Cyber-Risk Management.
In it, Gordon and his co-authors argue that a trade-off exists between the amount a company should invest in information security and cyber-security insurance. Higher levels of information security protection will require lower levels of insurance, and vice versa.
Companies should do a structured self-assessment and gap analysis of their information security risk “appetite” by considering a variety of factors. What is an acceptable level of investment in information security systems and processes, factoring in that insurance companies will offer discounts on premiums if security is in high compliance with security standards such as ISO 17799?
What kind of insurance coverage is available for financial losses resulting from breaches? How much loss are they prepared to sustain from “residual risk” — breaches not covered off by either the insurance or security systems?
Companies are starting to buy into the idea of using insurance in concert with information security, said Gordon.
“This is a win-win situation. It’s good for insurance companies and the companies that get insurance. But it doesn’t replace good security.”