Failure to Launch 2: Cyber Insurance

In the much-anticipated sequel to the beloved box office hit starring Matthew McConaughey and Sarah Jessica Parker, Failure to Launch 2: Cyber Insurance has viewers on the edge of their seats wondering “when will this end?” and “is this a terrible title for a blog or am I just super lame?” The story brings us a new landscape of an everchanging cyber threat environment and a whole new cast of worried insurers, dangerous cyber criminals, and unsure decision makers at companies big and small. Be sure to catch the movie, streaming on Netflix this Fall.

On the off chance that you’re not a cybersecurity professional, let me first explain the everchanging cyber threat environment and rise of cybersecurity insurance. Cybersecurity has changed drastically over the past 30 years. In 1988, a curious graduate student from Cornell developed a relatively simple computer worm that was able to propagate to 15,000 machines, roughly ~25% of the internet during those early years. It took 12 years, in the early 2000’s, for worms for to became mainstream, with cybercriminals effectively targeting companies and individuals with the sole purpose of disrupting them.

In 2005, things began to change, and criminals began looking at their worms as money-making ventures. Criminals would create a worm/virus, with a call back function to a central server. The worms/viruses would spread through the internet to unsuspecting individuals and computers and stay dormant until the central server gave it an action. Most notorious of these actions were ping commands, essentially a computer calling another computer asking if it was online. These worms would spread across the internet to new computers, which are called bots, and the criminal, also the one managing the central server which could give commands to the botnets, is called a bot-herder. Individuals, companies, or other entities would pay money to the bot-herder, and give it a target; the bot-herder would then command all of his bots to begin a series of ping commands to that target. The target’s computers, inundated with ping commands, would automatically divert all resources to answer the ping calls, leaving no processing power to perform their normal job duties; websites would crash, and companies were left unable to run. The industry term for this type of attack is a Distributed Denial of Service Attack (DDOS).

Table 1 (source: https://sectigostore.com/blog/42-cyber-attack-statistics-by-year-a-look-at-the-last-decade/). (Note the stagnant amount of reported losses until 2013.)

In 2013, the threat landscape took another turn, and we began seeing the rise of ransomware attacks. That virus that originally was installed on your computer now also was able to figure out what applications you had installed, what patches you had applied, and sent that information to a central server to figure out what vulnerabilities were available to exploit. The central server would automatically provide the virus with the attack mechanisms that are available, and the virus would begin its attack by exploiting the vulnerability and encrypting your system files. Then it would show a screen, demanding payment in return for the key to the files. Over time, criminals began realizing that while a single person may pay $300 for their family photos, a company, with hundreds of computers that has not prioritized cybersecurity, would be left with no other option than to pay the ransom.

Given the rise of targeted ransomware and other types of cyber-attacks that are directly affecting companies of all sizes and from all industries, there has been a new type of insurance offering that covers the financial losses resulting from IT and Cybersecurity related attacks; general insurance policies do not include language to cover these types of areas. Cybersecurity insurance coverage usually includes losses from data destruction, extortion, theft, hacking, and denial of service. Items typically not covered include costs associated with improving the cybersecurity posture, software and hardware upgrades, and future losses; additionally, potential regulatory fines or lawsuits stemming from failure to safe guard data are not covered.

The current global cyber insurance premium is estimated at $5B, which is a .08% of the global insurance marketplace premium of $6.3T. While I’m not expecting for this percentage to hit the double digits anytime soon, the relatively small size is a cause for concern for the future of cybersecurity insurance. Due to the COVID-19 pandemic, companies have shifted their view of cybersecurity insurance as a luxury instead of a necessity, threatening the demand of the insurance as an offering in the first place. Additionally, while the rise of cyber attacks may increase the demand, it may also threaten the supply as insurers may become more uncertain of the environment and question the actuarial analysis that was previously performed. Taking this one step further, there simply is not enough historical data to accurately predict the rate of cyber attacks based on industry or company size, like there is for traditional insurance policies such as: risk of foreclosure, risk of fire, age expectancy, etc. All of these factors lead to a conclusion that there is not enough money in cybersecurity insurance at this time, and there is no path forward to whether this type of insurance will ever become a standard, instead of a nice-to-have.

Business leaders need to have a plan in place for how they will address cyber risks. The industry is ever changing, requiring constant review of your risk management plan and ensuring that risks are appropriately mitigated. We simply cannot address all risks in-house, and often it requires a broad approach to ensure that all risks are mitigated. Similar to how you have smoke detectors in your home, blow out candles before you go to sleep, and double check that your fire extinguisher is not expired, companies are focusing on hiring more cyber professionals, diverting more resources to the cause, and ensuring that they are compliant with regulatory requirements. However, after the fire fighters have come to extinguish a fire that was lit when you were not home, you call upon your renters or home insurance to identify next steps on claiming the coverage you have against fire. Most companies do not have that final call; they’re left with financial losses from the recovery costs, operating losses, and reputational and brand damage. Maybe it’s time that companies wise up, and consider additional coverage against cyber attacks; if they act too late, the industry may just dissolve.

Sources:

https://www.sentrian.com.au/blog/a-short-history-of-computer-viruses

https://securitybrief.co.nz/story/a-brief-history-of-cyber-threats-from-2000-to-2020

https://news.bloomberglaw.com/securities-law/looking-for-cyber-insurance-legal-terms-issues-to-know

https://hbr.org/2021/01/cybersecurity-insurance-has-a-big-problem

12 comments

  1. Very well written blog, I think it’s an interesting topic to discuss. Considering what’s happened throughout history with insurance companies, and the elevated risk with recent economic events, I don’t see this being a successful venture long term. Eventually, hackers are going to get so good at their jobs that the risk of pay out will be imminent. There’s a market for the need of cybersecurity insurance, but I’m not sure there’s a company or individual who can successfully satisfy the insured should something significant in fact occur.

  2. This was a fantastic read! I am very unfamiliar with the cybersecurity industry on a whole and did not realize that cybersecurity insurance was even a thing. It also sounds like I’m probably not the only one. At the rate that technology is evolving it should be a no brainer to also have this insurance, especially with the recent pandemic making everything much more digital than it was previously. Great blog, I appreciate learning more about this and will keep it in mind for the future.

  3. I had never heard of cybersecurity insurance before this blog, but it makes complete sense! If I were a business owner, cybersecurity would be my biggest concern because the field faces new challenges literally all of the time.

    Your words inspired me to do my own research. I thought it was really interesting that the Cybersecurity & Infrastructure Security Agency (CISA) pulled people from a variety of groups (academia, infrastructure owners and operators, insurers, chief information security officers (CISOs), risk managers, and others) to build a stronger cybersecurity insurance market. That alone shows how difficult it has become to mitigate and prevent data breaches, business interruption, and network damage.

    https://www.cisa.gov/cybersecurity-insurance

  4. Great deep post that is a wonderful complement to your presentation

  5. Super interesting! I had also never even considered the idea of cybersecurity insurance, but after reading your blog I am shocked that it isn’t more widespread. I was also surprised to see that the pandemic caused leaders to view cybersecurity insurance as a luxury and not a necessity – I would have thought it would be the other way around with so many remote workers potentially creating access points to exploit. I suppose industry executives are more concerned with solving the underlying issues to prevent or mitigate cyber attacks – perhaps cybersecurity insurance wouldn’t be enough to cover the reputational damage and other risks associated with such events.

  6. While all of the blogs I’ve read this semester have been interesting and entertaining, I think have may have learned the most from this one. Everyone knows that cybersecurity is becoming much more important as the push to go digital increases but I never really dug into the history of cybersecurity. I was really surprised to learn about the rise of ransomware attacks in 2013 as I would have expected that to have started occurring much earlier maybe around 2005. What a troubling graph as well showing a meteoric rise in ransomware damages starting at 325mm in 2015 and ballooning to 20b in 2021. Loved the comparison to a house fire as well which highlights that the solution to this problem has nothing to do with picking up the prices after disaster strikes, it’s to prevent it from occurring in the first place.

  7. Excellent post which I honestly almost shared with my mom, who had her personal Facebook hacked this past summer. For her, it did not make any sense of why anyone would want a middle-aged woman’s facebook account, but this helped make it make sense.

    In my role, I actively work with students who are scammed out of thousands of dollars from responding to fake work study emails and they generally have a very hard time regaining any of their funds, since it is often given through gift cards. I am curious if any individual option will be made available, like renters insurance which we often recommend for students living on campus.

    I can only imagine the kind of damage someone could do to the Boston College infrastructure, and while it is annoying, I am grateful for the efforts of someone making sure my work-related information stays ransom-free.

  8. Your call to action for companies to do more to protect themselves and their customers is certainly a good base line for them to meet. However, is there any literature on companies attempting to go beyond defensive measures and insurance policies? For example, are there services out there today that not only protect firms, but also counterattack bad actors to neutralize their capabilities and threaten their resources?

  9. Really good blog and I agree with many of my peers above in that I did not know about cyber security insurance nor had I really given it much thought before. That’s a changed a bit not and it’s something I might look at when renewing my policy in the future. @shanpopzaruba made a great point above regarding Facebook. I have also seen people hacked, and no offense it’s typically folks in the older crowd who might not be as literate on the internet as us younger folks who grew up on it. What kills me is I see people who message out my account got hacked so I’m opening up a new one which tells me that really didn’t think too much into the problem. For one starting a new account probably doesn’t eliminate the vulnerabilities to your new account. My guess is most of these people might just change the email on file but I bet a lot don’t change the password… And two it tells me they are thinking its commonplace and no big deal I’ll just start the new account instead of taking a step back and asking hmm what have I been doing that exposed my account to this in the first place.

  10. Awesome job with this, and very neat compliment to the class presentation. Your post reminded me of this cool website, https://www.security.org/how-secure-is-my-password/ where you can input a password and it will estimate how long it would take someone to “hack” that password.

    1. Sounds like a good way for you to get your password stolen….

  11. Love the title – it’s so not lame.

    I think cybersecurity insurance is important, but it doesn’t really work. It’s ‘nice to have,’ as you mention, in that it gives a sense of security; however, I’d say it’s a false sense of security. As I understand it, once ransomware gets through, you’re doomed. The data is either ruined or, at least, questionable corrupted to ruin things once again.

    I’m seeing a lot of construction project owners require this insurance, but, again, by the time you make the claim on the policy, it feels like it may be too little too late. But, I guess it’s better to have ruined data + money from insurance than just ruined data?

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: