The Cyber Insurance Emperor Has No Clothes

Thomas I work at zions bank i'm also a PhD candidate at George Mason University this talk cyber insurance emperor has no clothes I think it's different from all the other talks for two reasons first of all it's probably the least technical in the computer science sense of the term the focus here is on how organizations work and how they make decision second difference is I'm not going to try to fill the whole time with presentation I'm hoping that people here in the audience have questions they want to discuss some things brought up maybe they even want to present a contrary point of view and I'm not going to provide all the information on this topic right up there you see the URL for

my blog the blog post on this topic is the first one that you'll see on that homepage so please go there if you want to learn more details and understand the fine points of the argument so two preliminaries first of all I'm here presenting a reasoned argument this is the initial part of an investigation I can't say that every point I'm presenting is fully defended or justified but I do believe this whole topic has not been sufficiently analyzed now as hackers one of the things we do is we challenge assumptions and we especially poke our fingers that how things are supposed to work to see if they work somewhat differently and my whole thesis here is the value of cyber

insurance is not been sufficiently challenged from a functional and operational standpoint so the second preliminary is I'm not here to bash insurance companies or insurance people quick show of hands anybody here from the cyber insurance industry I see at least one very good okay so whether you're here in person or you here virtually or you hear about this talk there may be other domains where people complain about the insurance companies this is not one of them so what I'm really here to talk about is not the risk transfer function of cyber insurance perfectly valid function that has its own business case I'm really here to talk about the incentive and risk pricing function of cyber insurance so where did this notion

of insurances incentives come about anyway so it actually started out in the early 1800s it happens to be the Economist Jeremy Bentham and when they thought about social goods in general rewards and punishments basically boiled down to some combination of carrots and sticks and Bentham and other people came after and their theory of human behavior is if you get the right combination of carrots and sticks people in society going to do what you want to do or they're going to do good things so this theme is carried forward and if any of you have been to a cyber insurance conference you've been talking to policymakers in the back of their mind and sometimes in the front of their mind

is this whole notion of well cyber insurance is potentially good because it provides positive incentives so we don't have to bring out as many sticks well there's something problematic about simplifying it that level and I'm going to go through a number of objections but first I'm going to present the point of view of somebody you may recognize the character of Malcolm Tucker from the British series the thick of it and he had his own particular twist on the carrot-and-stick strategy so we should use the cash they approach yeah discount stick that was [ __ ] off followed by the stick full of an even bigger locality so the point of presenting that is simply an academic or an idealized

notion of carrots and sticks can be quite problematic when they're in the hands of any particular organization or any particular institution to implement so where did this idea come from that insurance would be a good incentive and information system for risk reduction well it turns out it was a Hartford steam boiler company in 1866 this is a picture of the stock certificate and it shows various calamities industrial boilers steamship boilers railroad boilers were blowing up with high propensity and Hartford steam boiler company was the first to build a successful insurance based business model but I've highlighted here it was the inspection and insurance company not just the insurance company so right from the very start they had a model of

people and knowledge and expertise and customer engagement that would make Risk Reduction central to the product that they were offering so one way of characterizing this debate over cyber insurance is is security roughly speaking like steam boilers can it be managed and influenced that way my reasoned argument is no for ten reasons and each of these ten reasons may be relatively true or not true in any particular circumstance one of the things that troubles me about this belief that cyber insurance is an unmitigated good and if only if everybody applied it things would be better is it only takes a couple of these 10 reasons to cause the system to fall apart in any particular company or

in it any particular insurance pool so the exploring possibility blog goes into great detail into the following 10 reasons i'm going to read them off quickly then i'm going to sort of dive into two of them before leading into our discussion okay so first point is cyber insurance is bought in your firm by the wrong people and it's sold by the wrong people the people who are selling cyber insurance are the same people who sell property and casualty and errors and omissions and every other line of insurance they have no particular knowledge or expertise in cyber insurance or cyber security likewise the people that buy it in your organization tend to be the risk managers the CFO people quite dis

distant from security now this one is a little bit more controversial and a little bit more technical but we often believe that insurance companies will be able to pool all kinds of information and come up with magical formulas or actuarial models of risk and then be able to underwrite insurance based on that and I think the actual information basis for doing that is rather weak and anybody I've talked to or presentations I've seen in the insurance business tells me that they're struggling in this arena show of hands how many people have actually read through the coverage of your company's cyber insurance program okay not very many that doesn't surprise me by the way if you ever get a chance

please try to look through it metaphorically it's Swiss cheese it covers some things excludes other things the whole logic of the contract is to serve the insurance company not to serve you and especially not to serve an improvement program in security number for the claims process is both too expensive too uncertain as to whether or not it's going to pay off and certainly not frequent enough to provide feedback between your company and your insurance provider number four the number five the two-way information flow aside from rain is woefully inadequate now insurance companies are expanding somewhat in this area by contracting with risk rating firms like this site but it is it is no way we're close

enough to what it needs to be number six the cycle time between stimulus meaning something happens in your organization something changes in the environment and something changing in your policy is way too slow it may be six months nine months 12 months 18 months 24 months before some change in the threat environment of the security environment is reflected in your policy and that is way too slow to have a useful influence on security decision-making so one of the conventional wisdoms is higher cybersecurity is higher cyber insurance premiums will be a signal that your cybersecurity practices need to improve and conversely if you do good at that your insurance premiums are going to fall when the blog posts like enumerate

a whole bunch of reasons why this is a noisy signal and it's not a very reliable signal to and I'm going to go into this a little bit in the in the following discussion now number eight doesn't get talked about enough I believe strongly that firms need to focus on retaining risk to the extent that they can because firms when they built best ability to understand what they are in to mitigate them so even if risk transfer makes sense from a corporate finance standpoint it should be a second or third line of the sense not a primary one insurance company risk models fit their needs not your needs they don't supersede the opposite need and requirement to develop risk models

internally or conjunction with your service providers and finally and it's I've gotten debate on this topic it really does not fit networked interdependent risk yes there's something called third-party risk contracts but when i say network interdependent i'm talking about the sort of alara t between coverage so all of the players in a supply chain or in a value chain or in a value Network have complementary incentive signals rather than the incentive to put the blame of the liability or responsibility on on someone else and I think we learned some lessons here it was at the target breach where the blame was put on there their third party contractor we see this happening a lot okay so I want to look

at two of these in more detail and I'm going to provide some data from a survey that somewhat supports and maybe contradict some of the points i'm making so the two characters in the foreground or the people who are buying and selling let's say the red is the insurance company and the white is is your firm somewhere in the background is people involved in infosec whether it's the sea so whether it's your technical architects enterprise architects these are not at the focal point you're not choosing the company you're not choosing the coverage you're not dictating the information flow process so here's data from the survey they talked to 203 people who were involved in information

security you notice the deciders here the executive board the executive management of the board of directors lots of influencers but the senior security management compliance and technical people are at the bottom of the list in terms of the people that involved in recommending I've got a couple quotes on this in a second so I apologize for the pie charts i did a cut and paste here this sort of goes against a data visualization best practices so yes the technical people are frequently involved but quotes from the survey or very revealing so the risk managers themselves are on point really are not very well informed and don't feel very knowledge about cybersecurity so they depend upon

the technical people but the technical people don't generally involve because often they don't even see the values in the exercise and appeared to me from the survey the technical people get involved when it comes to filling out the survey is filling out the audit reports so it's a one-way flow it's a check box type task it's not collaborating on the decision making so I think that's further supporting the idea that we don't have the right people at the table in the buying and selling decision therefore you're not going to end up with cyber insurance coverage that drives the improvements in security so the other thing I wanted our problem area I want to focus in on is the

variation in premium so some of you may know about the publication virus bulletin this is John Hawes I believe this was a 2013 article that he put out in naked security he capitalized what many many people say about cyber insurance and they'll use the same connection so connected to auto insurance or home insurance and they say well if you do these things your premiums will go down well let's look at what the survey says about that so first of all of the 203 people only thirty-three percent actually their firm engaged in cyber insurance and of those thirty percent the insurance is bundled in with a whole bunch of other things now think about that for a second if

you've got a comprehensive corporate policy that covers cyber insurance errors and omissions property and casualty a whole bunch of other stuff how big and how important is the cyber insurance signal in there about how big your premiums going up and down so at least one third of the people are not getting a very good signal out of this in the first place and then the question is well what happens to that signal at all well some people will say well in order to qualify for cyber insurance in the first place you've got to bring your cyber security up to a certain level well here's a survey of underwriters happens to be 194 of them and here's all the things that they say

disqualified somebody from cyber insurance well this looks like a decent what you might call hygiene list but I don't know anybody in this room see so or even a technical manager who would say if I only do these things that I'm doing top-notch cybersecurity these this is the ante this is the entrance state and if cyber insurance only gets you to the ante we can't really make a claim that it's taking you to any level of excellence and here's a similar set of questions which is to me what's most important what changes did you make in your organization because you engage with or purchase cyber insurance number one is implemented policies and processes could be good or could be

meaningless depending upon what those policies and processes are so the last element I want to bring up before opening up for discussion and debate here is this is just one headline I've seen recently so a british firm CFC under whiting one of their annual meetings presented some survey results and they say insurance premiums are rising and we believe it's the fear of security incidents like the yahoo breach which is increased demand and any market where demand increases in supply is restrained prices are going to go up well if prices go up not because my firm is doing worse but because lots of other people are buying the product what time is signal does that send to my

firm okay so there's lots of factors to drive premium prices up and down there's even lots of debate in this industry whether it's going to turn out to be cyclical like property and casualty or it's going to be stable but the whole notion that premium prices or coverages themselves are going to be a good reliable signal i think is fallacious so that ends the core of my talk I'm getting approached by several publishers here so really maybe we got a book deal in the in the works and now I want to open up we've got about 13 minutes for questions comments and counter-arguments

right down in front i'll try and repeat the question go ahead stand up okay let's talk then so I tend to agree with your points about the effects of cyber insurance on the organ is on the corporation as its binding insurance what would be your thoughts around the effect of cyber insurance as driving the overall quality of security in products are being purchased in other words the cyber insurer is a more knowledgeable buyer of security so these reducing the information asymmetry okay excellent question so I have two answers to that first of all I see no operational on the ground evidence that cyber insurance firms all building expertise to the level they need one piece of evidence is

who attends conferences like this who attends to workshop on the economics of information security who presents there it's not the cyber insurance company they are following rather than leading the second thing is let's consider an alternative to cyber insurance let's say there is industry associations or even government agencies that simply pay you for implementing the NIST cybersecurity framework or pick any framework you want why do we have what is the value social value of having the insurance the coverage the claims process there's quite a lot of informational and functional overhead associated with it without clear evidence that they're going to provide the value the driving force that you just described now I think alternative insurance type products that have a

completely different institutional structure could work but I don't think the current model and cyber insurance will do it okay next question yes please

okay the gentleman brought up two points first of all he says cyber insurance is that its infancy it's maybe not fair and maybe not proper to criticize it in its current form maybe give it time it's got to go through its growth spurts the second point is well maybe pushing hygiene is the sufficiently valid reason okay on the first point I would like to be more optimistic in fact I like to believe in the creativity of nascent industry unfortunately what I see here so compare it to the rest of what's called fintech peer-to-peer lending micro lending there's a huge energy of creative entrepreneurship in syntek we do not see the same in cyber insurance and I wish there was and the reason

being is this is all happening within the existing institutional structure of insurance the same companies the same legal process the same regulatory structure the same human beings with their same skill set and they're trying to say well cyber insurance is like all these other lines and we're going to invest in it and we're going to grow and by the way that's why you see some people wanting to have a government mandate for insurance to drive adoption right okay so the second point about hygiene in other presentations I have had some negative things to say about aiming for hygiene because i think it aims to low on the other hand what's called hygiene is so obviously bad in so

many places a case could be made that we've got to drain that particular swamp I would argue that there are better ways and I certainly wouldn't claim that the major social value of cyber insurance will be the drive hygiene because there's a dozen other ways that'll be more economical and more effective to do it than that other questions anybody strongly disagree with any of these ten have different points of view yeah

okay so his question is what about the PR aspect you mean the PR aspect of big claims and big breaches or this

so he's asking about the public reaction to to what

ah okay so he's saying companies tend to react to negative publicity around breaches and that's sort of what that British underwriting firm was arguing that they're seeing demand for insurance because these highly publicized breaches I'm not sure how that relates to the effectiveness of cyber insurance though do you have anything to

okay so he's adding that this head puts a spotlight on brand damage associated breaches and things that are might be covered under an insurance policy whereas otherwise they may not be given visibility thought soft costs that's a valid argument and if the claims process was more expeditious so take for example the target breach or the Sony breach to my knowledge and even the Heartland breach it was four or five years before the insurance payouts for me maybe it's three years it's not the same year it's not within six months so there's a time urgency if we think about the dfi our investigation the attribution investigation the corrective action right so the type of corrective actions

got to do in your your vendor value chain all that has to happen on a very quick time scale even personnel changes in the firm right we have inadequate staffing we have inadequate leadership in our ensure security organization that's going to happen within a few months it and if the insurance settlement payout is years later that is way too slow to have an influence on the process and in the blog post I talked about a number of strategies that corporate executives could take to minimize the premium costs in the short run to meet their numbers because if they get hell if you're I can't see the number raise a finger okay thank you i'll be done is just two minutes if you

are a chief financial officer and you're leading the risk committee and you're going in front of the board and let's say the board is going to be really hard ass about this and they're going to want to say you as chief financial officer will not get your bonus if our cyber insurance premiums go above X or we encounter increase of such and such a size now who here has seen a performance measurement system gained or scams or manipulated I know I have do you read the news it's happened in public education it happened in toshiba it's happened lots of places I've seen it happen on enterprise wide IT project so the first place to manipulate that is in the coverage right

who's going to read 47 pages of coverage and there's lots of things you can do to manipulate and control the amount of premium that your charge which is the visible thing without actually improving security and maybe your successor is going to deal with the consequences of that so if I'm a CFO if I'm five years away from retirement I'm gambling that within the next five years either I don't have a breach or if that we do this insurance settlement is happens after I'm gone or it's the responsibility is diffused so I guess the last thing is there any other questions or cut yes please

okay this is a superb question thank you sir he said it's so [ __ ] broken is there a room for a start-up so I have two answers to that yes and it's the road less traveled meaning you're going to be walking 40 mile or 40 miles through the desert eating locusts for a long time because if you compare what it would take to do a start-up in this environment to the latest in AI for threat intelligence or any purely technology thing we do not have including the funding agencies the venture capital agencies good models for how to develop this now I believe there will be entrepreneurial organizations going after it but it's going to have to

start small very niche focus and develop something that works in the classic disruptor type model right the ignored part of the marketplace and then get momentum so that you can start taking over more the mainstream so thanks everybody for your attention thanks for your question take a look at the blog follow me on Twitter Thank You ro so on behalf of east sides and Fitbit is a Fitbit and I think the organizers deserve yet another round of applause guys do an awesome job twice as many attenders as last year or really appreciate their work thank you and the huge thanks to our sponsors Fitbit harka one and very sprite will be back at 410 thank you

[Music]