Title: A Framework for Using Insurance For CyberRisk Management
1- A Framework for Using Insurance For Cyber-Risk
Management - -Lawrence A. Gordon, Martin P. Loeb and Tashfeen
Sohail - CSCE 824 - Spring 2005Secure Database Systems
- Sarika Saxena
- Department of Computer Science and Engineering,
USC - April 14th 2005
2ContentsHistory and FactsIntroduction Cyber
InsuranceUnique Characteristics Cyber
RisksInsurance companies, policy
issuesInsurance CoverageFramework for
Information securityFour step Decision
PlanConclusionsReferences
3- Information Security Issues-Forefront of agenda
for Corporate Executives.- Brought into
importance in 2002 survey of CSI/FBIsurvey
(responses from 503 computer security
practitioners in U.S. corporations, government
agencies, financial institutions, medical
institutions and universities) - 90 respondents
detected security breach.- Average estimated
loss 2 M per organization.- 74 reported
internet connection as point of attack.- 223
respondents reported approximately 456 M
financial losses.
4How did Cyber Insurance come into
existence?Traditional security measures- cannot
fully eliminate risk to security breaches with
associated losses-Passwords,-biometrics,-antivi
rus softwares,-intrusion detection systems
etcSo new approach was developed.
5Cyber Insurance
- -Deals with risks of substantial financial losses
remaining after technical security measures have
been instituted. - -Provides coverage against losses from computer
network, intranet, internet (typically, place
where data can flow electronically) related
breaches. - -A firm may hedge its potential losses from Cyber
Crime.
6Unique Characteristics of cyber-risk
- - Location A perpetrator may be thousands of
miles away from business location. - - Degree Viruses damage can go beyond effects
on data and software (business interruption,
defamation etc). - - Visibility Commodity on internet is
Information. Security breaches (firms sensitive
information) often go undetected.
7Insurance companies and policy issues
- Companies
- -AIG, Chubb, Fidelity and Deposit, Marsh, Lloyds
of London etc - In designing new policies, issues addressed are
- - Pricing
- - Adverse Selection
- - Moral Hazard
8Pricing
- - Traditionally relies on actuarial data
constructed from voluminous historical records. - - Internet-relatively new, histories of e-crimes
and related losses do not exist. - Insurance companies trying to quantify what some
claim as unquantifiable risk.
9How to quantify risk?
- - Quantitative model- determine chance and
frequency (e-crimes and related losses), the
equivalent of actuarial tables can help. AIG etc
are already building actuarial tables - - Private incident-response centers gathering,
publishing statistical data on frequency of
certain events that could expose risk. - - Government, research are also filling databases
with information thats quickly growing large
enough to detect trends and probabilities. - - CERT Coordination Center at Carnegie Mellon
15, 167 incidents were reported in 2000, an
increase from 9,859 in 1999. These reports could
be mined for deeper statistical data.
10Adverse Selection
- Refers to problem that arises because a firm
choosing to insure against a particular loss is
likely to have private information not available
to insurance company at the time of contracting.
11How to deal with adverse Selection?
- Security audit When offering insurance policy,
insurance firms require an information security
audit. - Identify High risk users Insurance firms
identify these users and differentiate the
premium for such users. - Example JS Wurzler offering policy to cover loss
from hackers, adds a surcharge to firms using
Microsofts NT software for internet operations. - Insurers consider Microsoft NT high-risk.
12Moral Hazard
- - Adverse Selection deals with insured's private
information prior to contracting. - Moral Hazard deals with lack of incentives by the
insured to take actions that reduce the
probability of a loss subsequent to purchasing
the insurance.
13How to deal with Moral Hazard?
- Deductibles The insured will suffer some loss
if there occurs some security breach. - Provides monetary incentive for the insured to
take actions that reduce the likelihood of the
loss actually occurring. - Premium reductions Policies offer these
reductions for taking actions to reduce the
probability of a loss. - Example AIG offers discounts for firms using
Invicta Networks security device for shifting
Internet Protocol addresses.
14What Cyber Insurance Covers?
- - Computer networks, Internet, e-mail ,websites
exposed damage, liabilities from unexpected
sources like defamation, hacking, fraud or virus
attack. - - The costs of third party legal claims against
you (the insured company) arising out of your
e-activities (e-mail, e-commerce and your
website). - - Losses suffered as a result of viruses or
hackers, even if your employees carry out or aid
the attack. - - Your liability due to your customers' credit
card numbers being stolen, or the theft of your
money during transactions on electronic
networks. -
15Continued Cyber Insurance Coverage
- - Claims made against you by your employees for
an unsuitable office environment due to
disturbing e-mail content or website use, or due
to breaches of confidentiality. - - Financial losses suffered due to a business
interruption, which prevents you from using your
computer systems or trading via your website. - - Damage to your computer network or any data you
hold electronically arising from unauthorized
access.
16Policies available
- - Chubbs Cyber Security,
- -AIGs NetAdvantage Security
- - Hiscoxs Hackers Insurance
- - Legion Indemnitys INSUREtrust
- - Lloyds e-Comprehensive
- - Marshs NetSecure
- - St. Pauls Cybertech
17First party Risks
- Occurs when insured faces possibility of loss of
profits due to - - Theft of trade secrets,
- Destruction of the insureds property
- ( software, hardware and data),
- - Extortion from hackers.
18Third Party risks
- Faced by insured because of damages caused,
directly or indirectly to another firm
(individual). - Includes liabilities for
- - A computer virus inadvertently forwarded,
- - Failure to provide products (as contracted)
because a hacker or virus stopped insureds
delivery system, - - Contents placed on the companys web-site
(infringement of copy-rights), - - Theft of information held about a third party
such as credit card records.
19Cyber-Risk Management Framework For Information
Security
- - Process of assessing risk, taking steps to
reduce risk to an acceptable level, and
maintaining that level of risk. - - The value of the information vulnerable to
threats also needs to be considered - Value-Vulnerability Grid
- - Helps identify which information should receive
the what level of security. - - It categorize information from high to low for
both value and vulnerability
20Value-Vulnerability Grid
21Next, reduce information security risk to
acceptable level.- Vary from organization to
organization, based partly upon the location of
information in the V-V grid.Two steps to reduce
risk1. Invest in protecting against the risk of
actual security breaches by installing firewalls,
encryption, access control techniques.2.
Acquisition of Cyber-Risk Insurance.
22- 483 computer security practitioners in US
corporations, government agencies, financial,
medical institutions, universities participated.
23(No Transcript)
24Cyber-risk Management Framework for Information
security
- Cyber-Risk Management Process
25Decision Plan
26Conduct Information risk audit
- -Audit uncover firms information security risk
exposure and place value on that exposure. - -Assure that intrusion detection systems are in
place to provide documentation on breaches.
27Assess current insurance coverage
- Corporate executives review existing property and
liability insurance policies. - Review focus on gaps in Internet-related
coverage in the current policies.
28Examine and Evaluate Available Policies
- Better position to negotiate with their current
insurance providers. - Consider a firms potential losses and the
security measures in place.
29Select a Policy
- Select Policy appropriate for unique
circumstances of a given firm. - Policy should have desired additional coverage
at an acceptable price. - Companies should determine the portion of
financial risk they want the insurance company to
cover and the residual portion they willing to
bear. -
30Conclusions
- - Information security risk highlighted by hacker
attacks on high-profile US Web-sites, computer
viruses, thefts, that caused considerable
financial damage. - - Companies invested heavily in security
measures. - No amount of security can prevent all breaches.
- Viable market has emerged for Cyber-Risk
insurance to protect against financial losses. - Insurance companies are uncertain about how to
price their products, considerable room for
negotiating prices with agents.
31References
- http//www.computerworld.com.au/index.php/id10652
7059relcomp1 - http//www.irmi.com/Expert/Articles/2001/Rossi02.a
spx - http//i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004
.pdf