Cyber Insurance - PowerPoint PPT Presentation

cs5493 7493 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Insurance PowerPoint Presentation
Download Presentation
Cyber Insurance

play fullscreen
1 / 77
Cyber Insurance
305 Views
Download Presentation
Download Presentation

Cyber Insurance

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. cs5493(7493) Cyber Insurance

  2. AKA • E-commerce insurance • E-business insurance • Information system insurance • Network intrusion insurance

  3. Brave New World • New field of insurance, policies begin appearing at the beginning of the 21st century.

  4. Old vs New • What do traditional insurance policies cover?

  5. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire

  6. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire • Flood

  7. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire • Flood • Theft

  8. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire • Flood • Theft • Other natural disasters.

  9. Traditional Policies • Traditional insurance policies do handle tangible loss and damage claims due to • Fire • Flood • Theft • Other natural disasters • Liability claims.

  10. Traditional Policies • Traditional policies would not cover financial losses related to lost data. • Data losses are not covered for DoS or mal-ware attacks.

  11. Traditional Policies: Data Loss Claims • For that distinction you can thank American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc., a U.S. District Court ruling in Arizona in 2000. The court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee. • "After that, the insurance firms changed their policies to state that data is not considered tangible property,“ (Kalinich) • The upshot is that an enterprise needs special cyber insurance to cover data-related issues.

  12. Legal Precedence • High profile cases against the insurer will cause all insurers to change their policy offerings.

  13. Cyber-Insurance • The gap left by traditional policies created a market for cyber-insurance. • Example: traditional policies do not cover: • Data loss from malware (AGLI vs Ingram Micro) • Revenue loss from DoS attacks

  14. Cyber Insurance Challenges • Insurance market inefficiencies

  15. Cyber Insurance Challenges • Insurance market inefficiencies • Asymmetric information

  16. Cyber Insurance Challenges • Insurance market inefficiencies • Asymmetric information • Mono-cultures

  17. Cyber Insurance Challenges • Insurance market inefficiencies • Asymmetric information • Mono-cultures • Moral hazard

  18. Cyber Insurance Inefficiencies • New field of insurance, policies begin appearing at the beginning of the 21st century. • Not much data for actuaries to determine the risks

  19. Cyber Insurance Inefficiencies • New field of insurance, policies begin appearing at the beginning of the 21st century. • Not much data for actuaries to determine the risks • Prices of policies vary greatly from one product offering to the next.

  20. Cyber Insurance Inefficiencies • New field of insurance, policies begin appearing at the beginning of the 21st century. • Not much data for actuaries to determine the risks • Prices of policies vary greatly from one product offering to the next. • Insurance regulators have little guidance for monitoring cyber-insurance policies.

  21. Cyber Insurance Inefficiencies • Insurers face a small market for reinsurance available for cyber-policies

  22. Reinsurance • Insurance carriers can purchase insurance to spread their risk to other firms.

  23. Claims • Signs of an immature product offering: • Early claims made under cyber-polices were contentious (ended up in court) • Court disputes were not consistent due to lack of precedence.

  24. Lack of Standards • There are no standard products, insurers are creating polices on a case-by-case basis. • There are no standard products for insurance regulators to examine (Caveat emptor)

  25. Asymmetric Information • If a firm purchases a $25-million dollar policy, they must have a good reason to do so. (is it in the best interest for the insurer to offer such a policy?)

  26. Mono-culture Risk • An insurance company must have a diverse base to reduce the possibility of being overwhelmed by a single event generating too many claims.

  27. Mono-Culture Risk • The interdependency and correlation of risk to insurers impose a high probability of excessive losses. • Insurers need a diverse and large policyholder base.

  28. Cyber Insurance Mono-Cultures • The IT industry carries the risk of installed system mono-cultures: • Millions of systems run MS Windows and all could be vulnerable to the same attack.

  29. Cyber Insurance Mono-Cultures • The IT industry carries the risk of installed system mono-cultures: • Millions of systems run MS Windows and all could be vulnerable to the same attack. • Some attacks carry a high probability of excessive payouts by the insurers.

  30. Moral Hazard • Under full insurance, the insured has little incentive to undertake precautionary measures because losses are compensated.

  31. Moral Hazard • Insurance company have strategies to reduce their moral hazard risk.

  32. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits

  33. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims

  34. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost

  35. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost • Increase premium rates to the insured

  36. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost • Increase premium rates to the insured • Fraudulent claims and criminal behavior of the insured are not covered.

  37. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost • Increase premium rates to the insured • Fraudulent claims and criminal behavior of the insured are not covered. • Policyholder must meet a standard of care

  38. Moral Hazard • Ways to mitigate moral hazard: • Impose claim limits • Deductible requirement on claims • Claims have a monetary convenience cost • Increase premium rates to the insured • Fraudulent claims and criminal behavior of the insured are not covered. • Policyholder must meet a standard of care • Contracts must be renewed annually, the insurer can terminate the relationship

  39. Standard of Care Requirements • The insurers are making standard of care requirements mandatory for cyber-insurance coverage.

  40. Standard of Care Requirements • Data backup and procedures

  41. Standard of Care Requirements • Data backup and procedures • Data backup storage

  42. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls

  43. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware)

  44. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware) • Well defined security plan

  45. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware) • Well defined security plan • Password management

  46. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware) • Well defined security plan • Password management • Employee security awareness training

  47. Standard of Care Requirements • Data backup and procedures • Data backup storage • Network Firewalls • Security software – (i.e. anti-malware) • Well defined security plan • Password management • Employee security awareness training • Software updates/patches

  48. Standard of Care Requirements • Standard configurations

  49. Standard of Care Requirements • Standard configurations • Encryption

  50. Standard of Care Requirements • Standard configurations • Encryption • Vulnerability monitoring