Can anyone insure against a cyber-hack?

A US Government official has suggested that businesses should insure themselves against security attacks, which is a nice thought, but is it really possible?

  • 11 years ago Posted in

The story that emerged earlier this week that Michael Daniel, a special assistant to US President Obama and a cyber-security co-ordinator, is suggesting that major corporations show consider insuring themselves against security attacks raises some interesting questions, not least because there has to be doubt about whether such a thing is actuarially possible to organise.

It is not a new subject, either. Nearly two years ago Peter Coffee, Vice President and Head of Platform Research with Salesforce.com, was suggesting that insurance policies would be a better option for users of cloud services than contractual SLAs. As he pointed out at the time, the bottom line for any SLA is that it will very rarely include a clause about reimbursing a customer for the cost of a lost service. At best they will probably not charge the customer you for what they didn’t get.

But this is an area of cloud service provision that can be quantified. For a company like Salesforce, it could be close to the kiss of death not to have the best possible handle on its operational and reliability figures. That would mean having no chance of predicting an imminent failure of part of the service, an event that could easily cause irreparable damage to the reputation of the business.

And with such numbers available, it becomes possible to present insurance actuaries with the background information they need to build their financial models. With data on the reliability of the service overall, the most common failure modes and their impact, and the results of pre-emptive interventions and maintenance procedures, those actuaries can decide the premiums to be paid, the payments made as recompense for failure, and the all-important escape clauses that will invalidate the need for recompense.

That is a model that will work, and should work well with the cloud where every service provider lives or dies on the reliability of their service delivery. It becomes a market where actuaries can build insurance policies for all Cloud Service Providers and most types of customer, for the model will be based on a continually growing repository of reliability figures.

The same cannot be said, however, for security breaches, for the data available to the actuaries will contain too many variables, and from the customers’ point of view the number of escape clauses available to the insurance providers would likely make paying any premium a waste of money.

For example, if a business suffers a security hack of a type that has never been seen in the wild before and for which there is, therefore, no known defence as yet, it would seem that the insurer might be liable for a maximum pay out. But what if the business was an early adopter of some new device or technology and the hack was on against that device? Is the business now at fault for using it and opening an unknown door to cybercriminals?

And if business is hacked by a known attack method but its defences are proved to be weak – perhaps weaker than the security service provider claimed or implied, will the service provider be liable, or will the business be liable for having selected a service provider that proved to be weak? Rest assured that the insurance provider will happily duck at this point, either way.

Then comes the issue of proving the value of the damage any cyber-attack might cause. This could involve giving away for third party valuation the very data that has been already stolen. Without such a valuation there could be endless arguments between insurer and insured. Yet many of the latter are likely to be unwilling to expose such data to that type of scrutiny.

There is also the issue of the process of the attack. So, for example,  if one member of staff in a business is, however momentarily, arguably lax about one small element of personal information with any other individual will that mean that the ID authentication processes have inevitably become compromised?

It is probably best not to even consider the insurance implications of one application or service provider within a package of such providers that go to make up a cloud service finding itself obliged by a national government somewhere to divulge any information it might have about anything.

So is building a workable insurance regime that could provide recompense against cyber security is likely to prove next to impossible.

It might, of course, provide a very good new market for big data analytics providers. It would require the continuous collection of the most prodigious volumes of operational and transactional data, plus the inevitable `battle of the analytics’ as the chosen analysis tools of the insurer and insured fight it out.

Insuring against unreliability and poor service is one thing, and eminently doable now. But insuring against a security hack, though a comforting thought, will probably be like those pet insurance policies which state `this policy excludes any disease that a dog/cat/horse/elephant (or whatever pet is being covered)  commonly suffers’……..essentially a waste of money.   

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.