[Brian says he cut and pasted the story below because "the link expires 14 days after the story runs, which in this case would be Thursday." --Declan] --- Date: Mon, 08 Jul 2002 09:52:17 -0400 From: Brian Krebs <brian.krebsat_private> Subject: hacker insurance To: declanat_private Organization: Washingtonpost.Newsweek Interactive White House Pushing Cybersecurity Insurance By Brian Krebs washingtonpost.com Staff Writer Thursday, June 27, 2002; 1:35 PM Companies in every sector of the U.S. economy may soon find it difficult to operate without cybersecurity insurance, an evolving form of coverage that the Bush administration hopes will be instrumental in steeling the nation's information technology infrastructure against attack. In closed-door meetings with insurance industry leaders last week, White House officials laid the groundwork for a joint public-private sector working group to identify obstacles that may be preventing insurers from writing more cybersecurity policies. "We've asked them to come up with ideas about things the government could do that would make it easier for the insurance industry to provide more coverage," said Richard Clarke, the White House cybersecurity adviser. "We also asked them to look at ways in which the insurance industry can work together with the government to increase corporate awareness of the problem." The White House strategy - set in motion under the Clinton administration - holds that as malicious hacker attacks and computer viruses become more destructive and costly, businesses will seek insurance coverage for their commercial data and other computer-based assets. The administration's plan borrows a page from the evolution of fire insurance at the turn of the 20th century, when insurers worked with industry to reconcile competing electrical and fire safety standards. Businesses that did not take certain fire precautions were largely refused coverage. The White House believes the same dynamic will evolve in the Internet security arena: In an effort to minimize losses, insurers will confer with leaders in the technology industry to set minimum standards for network security practices and - by extension - products used to enforce those standards. Robert Hartwig, chief economist for the Insurance Information Institute in New York, said that transformation is already underway. He estimates that the market for cybersecurity insurance will reach $2.5 billion in premiums by 2005. "Businesses will soon purchase this in the same way they buy property insurance," Hartwig said "They wouldn't think of not insuring the buildings they're in, and soon they won't go without insuring the value of their computer systems." A Risky Business Only a handful of insurers currently offer cybersecurty policies. Coverage areas now include theft of data, denial-of-service and virus attacks, Web site defacement and subsequent outages, credit card fraud and cyber-extortion. A few policies even cover accusations of online libel and slander. Yet, as with other new types of coverage, the amount of coverage available is limited. In addition, cyberinsurance premiums can be prohibitively expensive for many companies, in part because insurers don't have enough experience and information to assess the financial risks associated with such policies. And if insurers have trouble accurately assessing the loss from intrusions, companies also are likely to have trouble determining whether cybersecurity insurance is a smart investment, said Bill Budde, managing director for global insurance at EDS Corp. "Right now, it seems difficult from a buyer's perspective to understand what they're purchasing," he said. "Ultimately, companies have to be able to figure out if it's worth the coverage cost," or if it would be simpler and cheaper to self-insure. To further complicate the equation, damages that companies incur from hacker attacks can be difficult to quantify, Budde said. "Maybe a company loses customers because an attack brings its site down for a few hours, but that's a loss that's sometimes hard to prove," he said. Businesses have been notoriously reluctant to report network vulnerabilities and intrusions, leaving insurers with a dearth of data to use in evaluating risk and offering coverage. According to a report released by the FBI in April, 90 percent of businesses and government agencies suffered some form of cyber attack within the past year, yet only a third of those businesses reported the incidents to law enforcement. "If you're insuring automobiles, you can anticipate that there will be a certain number of accidents out of a given number of drivers, so you know what your loss exposure is," Clarke said. "With cyberinsurance, there's not a lot of data that allows anyone to make that kind of prediction." The administration strongly supports an effort in Congress to exempt from public disclosure certain information that companies share with the government on computer vulnerabilities. Many companies have said they would be unwilling to disclose such data without such protections. Technology Is Half the Battle All of the major carriers offering cybersecurity coverage use independent security companies to probe a candidate's network defenses before granting a policy. As insurers become more familiar with IT security, the auditing process should begin to drive the development of more secure software, said Elad Yoran, founder of Alexandria-based Riptech Inc., a company that performs security testing for potential cybersecurity insurance clients of American International Group (AIG). "A company's ability to afford this insurance is going to hinge on the types of security infrastructure they've implemented," Yoran said. "Premiums will be significantly lower for organizations that implement a vigorous defense posture and well-tested security products." In the meantime, the Bush administration is asking some of the biggest buyers of IT security goods to demand more from technology vendors. "We've been getting together with customers, sector by sector, and asking them why they continue to buy software that has these security problems," Clarke said. Bruce Schneier, founder of Counterpane Internet Security in Cupertino, Calif., said such steps don't change the fact that improving security remains a losing proposition for technology companies. "What are the costs of improving security? It's expensive, users lose functionality, and they get annoyed," Schneier said. "What are the costs of ignoring security? Occasionally, you may get some bad press. So the result is, you do what everyone else does, and nothing more." Schneier said technology firms aren't likely to improve the security of their products until they begin to face product liability lawsuits or more stringent laws. "Security follows the money, and if there isn't any financial incentive for companies to be secure, they're not going to," he said. "Doing anything else wouldn't make any business sense." For now, the administration is determined to take a non-regulatory approach to the matter, Clarke said. The working group is expected to issue its recommendations in August, a month before the White House plans to release its national strategy for protecting the country from cyberterrorism. The administration is also talking with the insurance industry about whether potential cyberterrorist attacks on the nation's infrastructure would be exempt from coverage under the new policies. Most insurers treat terrorist attacks as acts of war, which insurance companies generally don't cover. In the end, it may take a punishing, industry-wide cyberattack before companies begin to seriously consider cybersecurity insurance, said Hartwig of the Insurance Information Institute. "Unfortunately," Hartwig said, "the best advertisement for this kind of product is going to be the next malicious and well-publicized attack." ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 08 2002 - 08:12:48 PDT