360 likes | 451 Views
Cyber Insurance (a.k.a. Technology Insurance) Linda Kay Monks Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK 74104. At First Glance. I didn’t know this type of thing existed What? What is it? That sounds boring Compensation culture
E N D
Cyber Insurance(a.k.a. Technology Insurance)Linda Kay MonksCenter for Information SecurityDepartment of Computer ScienceUniversity of Tulsa, Tulsa, OK 74104
At First Glance • I didn’t know this type of thing existed • What? • What is it? • That sounds boring • Compensation culture • Is this just another way for the rich to make more money? • Is this just another way to rip hard working people off who can’t even afford health insurance? • Fraud? rip off schemes (McD’s Coffee, pc ins?) result in raising rates, affecting society
Overview • An insurer is a company selling the insurance • An insured or policyholder is the person or entity buying the insurance policy • The insurance rate is a factor used to determine the amount to be charged for a certain amount of insurance coverage, called the premium, based on risk
Insurance Defined • In law and economics, insurance is a form of risk management primarily used to hedge against the risk of a contingent loss. • Defined as the equitable transfer of the risk of a loss, from one entity to another, in exchange for payment.
Auto Home Health Accident Sickness Unemployment Casualty Property Life Liability Malpractice Business Method Patent (new assurance products can now be protected from copying) Traditional Policies
Aviation Boiler (equip/machinery) Earthquake Flood Landlord Marine (ships, cargo) Volcano (damage-Hawaii) Windstorm (tornado) Prize Indemnity game shows Terrorism insurance provides protection against any loss or damage caused by terrorist activities Other Policies
Insuring People That Matter • Employers of: • Formula One racing drivers • Hollywood actors • Musicians • often take out insurance against the risk that • star performers are unable to work because of • sickness, an accident or even scandal
Specialized Policies • Entertainment Industry • Artists and Promoters • Filmmakers- James Bond • Film production insurance package covers has 13 key areas of cover including: employer’s liability; key person insurance; accident or injury to cast members and crew; damage to negatives; equipment hire; and props. • Las Vegas- Live Music Events • Madonna, Pink Floyd, Rolling Stones • Sports • Olympics, 21st Century Contingency Planning
Hands Rolling Stones guitarist Keith Richards Pianist, Liberace Legs Fred Astaire Betty Grable Chest Hair Teeth Actor Ken Dodd Key Man Policies • Organizations covered • - if loss of major asset leads to a loss of money • - Legs, hands, voice, teeth, chest hair, • Famous celebrities • - depend on aspects of themselves for their fame • - if they become disabled lose that item, they lose their livelihood
Today’s Companies At Risk • Evolution of Internet and way businesses operate has opened society for new attacks • If you have a: • Web site • Email/Internet Access • Credit Cards • Networked System • Sensitive Information • Courier service, third party vendor
Increased Threats • Theft • Vandalism • Natural Disasters • hurricanes • earthquakes • tornados • Power Outages • Loss of Income, Business, Downtime • Disgruntled employee • Corporate Espionage • Secure Information
Threats • Locking office doors doesn’t ensure unauthorized access to sensitive documents
More Threats • Hackers, viruses, attacks on authenticating systems, intrusions, defacing websites, phishing, identity theft • Surveys reveal 90% of businesses and government agencies have detected security breaches • 75% of these result in financial loss • 34% admit to less-than-adequate ability to identify if their systems have been compromised • 33% admit lack of ability to respond
Performance Crash • Feb. 2000 Coordinated denial-of-service attacks –prevented 5/10 most popular websites from serving customers • Perceptions changed after 9/11 • 2001 Three serious worm attacks in 3 months • Code Red -July, Nimdia-Sept, Klez-Oct • Global slow down of internet, measured at 60% degradation in performance • Slammer Worm 2003
Managing Risks • Uncertainty of cyber-risks • Poses unlimited threat for damages • Planning and preparation • Consider the risk in all areas • Manage risks • Avoid the risk • Retain the risk • Mitigate the risk • Transfer the risk for a fee (obtain cyber insurance)
Avoid the Risks • Reduce exposure to threats by no connectivity • not maintaining any dependence on networked computers, internet, website presence
Retain the Risks • Make an informed, conscience decision • Is it more cost effective to absorb any losses intentionally or are other risk mgmt options not affordable • Retaining the risk may be the only financial option, don’t be risk-seeking
Mitigate the Risks • Use managerial and technical processes • Invest in people and devices to • Identify threats • Prepare counter-measures • Continually improve security processes
Transfer the Risk • To a third party licensed insurance company for a fee • Engages insurance to act as intermediary and conduct smooth payouts for uncertain events and spread variable costs into periodic costs
Options • Take a risk management approach • Disburse the risks utilizing all approaches • Use product warranty or service contract • Conduct internet presence • Do not take internet transactions
What is it? • Cyber coverage- offered in traditional polices • Property and Theft • Offered in millions • Based on • Destruction of Data or Software • Recovery from viruses or other malicious code • Business interruption • Denial of service attacks • Data theft • Cyber extortion • Losses due to terrorists acts
Evolving Insurance • New type of policy, reactionary • 1990’s, Early Hacker Policy • Cyber Insurance started spreading 2002, eight years old • Love Bug virus 2000 affected 20 countries, 45 million users, cause 8.75 Billion in lost productivity and software damage • Slow Growth • Companies don’t want to report security breaches • Result • standardized insurance prices hard to come by
Cyber Insurance Coverages • Traditional Policies • Normal Liability policies cover physical property • Computer • Lightning, reimbursed • Virus destroys data, downtime, may/may not be covered • Cyber Insurance • Writes policies that deal directly with technology • Tailored to fit company needs
Coverages cont’d • Liability • Network Security Liability • Content/electronic media injury • Privacy/breach of confidentiality liability
Insurers • Narrow Coverages to target consumers • May seek to spread risk over different hardware and software platforms • Large and small organization • Bases questions on the Internet and connectivity
Do We Need This? • Cyber Insurance- Conduct Self-Evaluation • Dependent on networked computer assets • Produces vulnerability in the market place • Need and demand protection against cyber risks • Focus on security, technical prevention of cyber attacks • Must manage risks as reality • Do we possess patents, trade secrets
Insurance Evaluation • First and foremost question: • Look at company’s Network Security • No firewall, no anti-virus, NO POLICY • Market segments • Requires company to do security assessment of current conditions of technology
Security Assessments • Large Corporations • Require third party assessments • At company expense • 16 page+ checklist • Security configurations • Documentation of security plans • Password Management • Backup Procedures • Much more
Security Assessments • Small Companies • Self-Assessment • 1-2 page checklist • Basic security procedures: • Anti-virus software • Do you update the virus definitions • Use firewall • Conduct regular backups
Redundancy in Policies • Auto Policies- don’t carry two • Cyber Policies • Don’t buy if already covered • Look at current policies • Does general liability cover physical damage to computers? • Does your computer have manufacturer’s warranty • Have current agent strike physical property from the current policy, reduce premium. • Don’t include things you won’t need • Restaurant has a web site but not a message board, don’t need libel insurance
Benefits • Insure our people that matter: company, stakeholders, stockholders money • Produces peace of mind • Saves money, transfers risk • Increases safety /self-protection • Helps facilitate new standards of liability • Prevent legal liabilities, lawsuits
Insurance Companies • More specialized insurance • Companies that offer Cyber Insurance: • American International Group (AIG) Inc’s NetAdvantage • Lloyds of London e-Comprehensive • InsureTrust.com • J.H. Marsh & McLennan • Sherwood • Many online companies • Not many traditional insurance providers like Allstate, Prudential, Nationwide, or State Farm
Price Points • Policy Coverages • $ 5,000 –over 15 million • Typical Cost of a policy • Hundreds for a $5,000 policy • $5,000 to$60,000 per $1 million, however, standardizing policies and pricing is difficult and a critical challenge for some insurance companies to determine • Can’t apply brick & mortar costing for digitized assets • Cost includes info on company’s size, revenue, risk
In Conclusion • Other industries find it necessary to cover risks through insurance • Common Sense, aggressive approach to security in the front of the house • Growing demand dictates that cyber insurance products could become over a 2.5 billion industry