1 / 77

Cyber Insurance

cs5493(7493). Cyber Insurance. AKA. E-commerce insurance E-business insurance Information system insurance Network intrusion insurance. Brave New World. New field of insurance, policies begin appearing at the beginning of the 21 st century. Old vs New.

geraldine-salinas
Download Presentation

Cyber Insurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. cs5493(7493) Cyber Insurance

  2. AKA • E-commerce insurance • E-business insurance • Information system insurance • Network intrusion insurance

  3. Brave New World • New field of insurance, policies begin appearing at the beginning of the 21st century.

  4. Old vs New • What do traditional insurance policies cover?

  5. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire

  6. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire • Flood

  7. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire • Flood • Theft

  8. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire • Flood • Theft • Other natural disasters.

  9. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire • Flood • Theft • Other natural disasters • Liability claims.

  10. Traditional Policies • Traditional policies would not cover financial losses related to lost data. • Data losses are not covered for DoS or mal-ware attacks.

  11. Traditional Policies: Data Loss Claims • For that distinction you can thank American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc., a U.S. District Court ruling in Arizona in 2000. The court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee. • "After that, the insurance firms changed their policies to state that data is not considered tangible property,“ (Kalinich) • The upshot is that an enterprise needs special cyber insurance to cover data-related issues.

  12. Legal Precedence • High profile cases against the insurer will cause all insurers to change their policy offerings.

  13. Cyber-Insurance • The gap left by traditional policies created a market for cyber-insurance. • Example: traditional policies do not cover: • Data loss from malware (AGLI vs Ingram Micro) • Revenue loss from DoS attacks

  14. Cyber Insurance Challenges • Insurance market inefficiencies

  15. Cyber Insurance Challenges • Insurance market inefficiencies • Asymmetric information

  16. Cyber Insurance Challenges • Insurance market inefficiencies • Asymmetric information • Mono-cultures

  17. Cyber Insurance Challenges • Insurance market inefficiencies • Asymmetric information • Mono-cultures • Moral hazard

  18. Cyber Insurance Inefficiencies • New field of insurance, policies begin appearing at the beginning of the 21st century. • Not much data for actuaries to determine the risks

  19. Cyber Insurance Inefficiencies • New field of insurance, policies begin appearing at the beginning of the 21st century. • Not much data for actuaries to determine the risks • Prices of policies vary greatly from one product offering to the next.

  20. Cyber Insurance Inefficiencies • New field of insurance, policies begin appearing at the beginning of the 21st century. • Not much data for actuaries to determine the risks • Prices of policies vary greatly from one product offering to the next. • Insurance regulators have little guidance for monitoring cyber-insurance policies.

  21. Cyber Insurance Inefficiencies • Insurers face a small market for reinsurance available for cyber-policies

  22. Reinsurance • Insurance carriers can purchase insurance to spread their risk to other firms.

  23. Claims • Signs of an immature product offering: • Early claims made under cyber-polices were contentious (ended up in court) • Court disputes were not consistent due to lack of precedence.

  24. Lack of Standards • There are no standard products, insurers are creating polices on a case-by-case basis. • There are no standard products for insurance regulators to examine (Caveat emptor)

  25. Asymmetric Information • If a firm purchases a $25-million dollar policy, they must have a good reason to do so. (is it in the best interest for the insurer to offer such a policy?)

  26. Mono-culture Risk • An insurance company must have a diverse base to reduce the possibility of being overwhelmed by a single event generating too many claims.

  27. Mono-Culture Risk • The interdependency and correlation of risk to insurers impose a high probability of excessive losses. • Insurers need a diverse and large policyholder base.

  28. Cyber Insurance Mono-Cultures • The IT industry carries the risk of installed system mono-cultures: • Millions of systems run MS Windows and all could be vulnerable to the same attack.

  29. Cyber Insurance Mono-Cultures • The IT industry carries the risk of installed system mono-cultures: • Millions of systems run MS Windows and all could be vulnerable to the same attack. • Some attacks carry a high probability of excessive payouts by the insurers.

  30. Moral Hazard • Under full insurance, the insured has little incentive to undertake precautionary measures because losses are compensated.

  31. Moral Hazard • Insurance company have strategies to reduce their moral hazard risk.

  32. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits

  33. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims

  34. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost

  35. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost • Increase premium rates to the insured

  36. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost • Increase premium rates to the insured • Fraudulent claims and criminal behavior of the insured are not covered.

  37. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost • Increase premium rates to the insured • Fraudulent claims and criminal behavior of the insured are not covered. • Policyholder must meet a standard of care

  38. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost • Increase premium rates to the insured • Fraudulent claims and criminal behavior of the insured are not covered. • Policyholder must meet a standard of care • Contracts must be renewed annually, the insurer can terminate the relationship

  39. Standard of Care Requirements • The insurers are making standard of care requirements mandatory for cyber-insurance coverage.

  40. Standard of Care Requirements • Data backup and procedures

  41. Standard of Care Requirements • Data backup and procedures • Data backup storage

  42. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls

  43. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware)

  44. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware) • Well defined security plan

  45. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware) • Well defined security plan • Password management

  46. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware) • Well defined security plan • Password management • Employee security awareness training

  47. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware) • Well defined security plan • Password management • Employee security awareness training • Software updates/patches

  48. Standard of Care Requirements • Standard configurations

  49. Standard of Care Requirements • Standard configurations • Encryption

  50. Standard of Care Requirements • Standard configurations • Encryption • Vulnerability monitoring

More Related