A Framework for Using Insurance For CyberRisk Management

1

• A Framework for Using Insurance For Cyber-Risk
  Management
• -Lawrence A. Gordon, Martin P. Loeb and Tashfeen
  Sohail
• CSCE 824 - Spring 2005Secure Database Systems
• Sarika Saxena
• Department of Computer Science and Engineering,
  USC
• April 14th 2005

2
ContentsHistory and FactsIntroduction Cyber
InsuranceUnique Characteristics Cyber
RisksInsurance companies, policy
issuesInsurance CoverageFramework for
Information securityFour step Decision
PlanConclusionsReferences
3
- Information Security Issues-Forefront of agenda
for Corporate Executives.- Brought into
importance in 2002 survey of CSI/FBIsurvey
(responses from 503 computer security
practitioners in U.S. corporations, government
agencies, financial institutions, medical
institutions and universities) - 90 respondents
detected security breach.- Average estimated
loss 2 M per organization.- 74 reported
internet connection as point of attack.- 223
respondents reported approximately 456 M
financial losses.
4
How did Cyber Insurance come into
existence?Traditional security measures- cannot
fully eliminate risk to security breaches with
associated losses-Passwords,-biometrics,-antivi
rus softwares,-intrusion detection systems
etcSo new approach was developed.
5
Cyber Insurance

• -Deals with risks of substantial financial losses
  remaining after technical security measures have
  been instituted.
• -Provides coverage against losses from computer
  network, intranet, internet (typically, place
  where data can flow electronically) related
  breaches.
• -A firm may hedge its potential losses from Cyber
  Crime.

6
Unique Characteristics of cyber-risk

• - Location A perpetrator may be thousands of
  miles away from business location.
• - Degree Viruses damage can go beyond effects
  on data and software (business interruption,
  defamation etc).
• - Visibility Commodity on internet is
  Information. Security breaches (firms sensitive
  information) often go undetected.

7
Insurance companies and policy issues

• Companies
• -AIG, Chubb, Fidelity and Deposit, Marsh, Lloyds
  of London etc
• In designing new policies, issues addressed are
• - Pricing
• - Adverse Selection
• - Moral Hazard

8
Pricing

• - Traditionally relies on actuarial data
  constructed from voluminous historical records.
• - Internet-relatively new, histories of e-crimes
  and related losses do not exist.
• Insurance companies trying to quantify what some
  claim as unquantifiable risk.

9
How to quantify risk?

• - Quantitative model- determine chance and
  frequency (e-crimes and related losses), the
  equivalent of actuarial tables can help. AIG etc
  are already building actuarial tables
• - Private incident-response centers gathering,
  publishing statistical data on frequency of
  certain events that could expose risk.
• - Government, research are also filling databases
  with information thats quickly growing large
  enough to detect trends and probabilities.
• - CERT Coordination Center at Carnegie Mellon
  15, 167 incidents were reported in 2000, an
  increase from 9,859 in 1999. These reports could
  be mined for deeper statistical data.

10
Adverse Selection

• Refers to problem that arises because a firm
  choosing to insure against a particular loss is
  likely to have private information not available
  to insurance company at the time of contracting.

11
How to deal with adverse Selection?

• Security audit When offering insurance policy,
  insurance firms require an information security
  audit.
• Identify High risk users Insurance firms
  identify these users and differentiate the
  premium for such users.
• Example JS Wurzler offering policy to cover loss
  from hackers, adds a surcharge to firms using
  Microsofts NT software for internet operations.
• Insurers consider Microsoft NT high-risk.

12
Moral Hazard

• - Adverse Selection deals with insured's private
  information prior to contracting.
• Moral Hazard deals with lack of incentives by the
  insured to take actions that reduce the
  probability of a loss subsequent to purchasing
  the insurance.

13
How to deal with Moral Hazard?

• Deductibles The insured will suffer some loss
  if there occurs some security breach.
• Provides monetary incentive for the insured to
  take actions that reduce the likelihood of the
  loss actually occurring.
• Premium reductions Policies offer these
  reductions for taking actions to reduce the
  probability of a loss.
• Example AIG offers discounts for firms using
  Invicta Networks security device for shifting
  Internet Protocol addresses.

14
What Cyber Insurance Covers?

• - Computer networks, Internet, e-mail ,websites
  exposed damage, liabilities from unexpected
  sources like defamation, hacking, fraud or virus
  attack.   
• - The costs of third party legal claims against
  you (the insured company) arising out of your
  e-activities (e-mail, e-commerce and your
  website).   
• - Losses suffered as a result of viruses or
  hackers, even if your employees carry out or aid
  the attack.  
• - Your liability due to your customers' credit
  card numbers being stolen, or the theft of your
  money during transactions on electronic
  networks.  
•  

15
Continued Cyber Insurance Coverage

• - Claims made against you by your employees for
  an unsuitable office environment due to
  disturbing e-mail content or website use, or due
  to breaches of confidentiality.   
• - Financial losses suffered due to a business
  interruption, which prevents you from using your
  computer systems or trading via your website.   
• - Damage to your computer network or any data you
  hold electronically arising from unauthorized
  access.  

16
Policies available

• - Chubbs Cyber Security,
• -AIGs NetAdvantage Security
• - Hiscoxs Hackers Insurance
• - Legion Indemnitys INSUREtrust
• - Lloyds e-Comprehensive
• - Marshs NetSecure
• - St. Pauls Cybertech

17
First party Risks

• Occurs when insured faces possibility of loss of
  profits due to
• - Theft of trade secrets,
• Destruction of the insureds property
• ( software, hardware and data),
• - Extortion from hackers.

18
Third Party risks

• Faced by insured because of damages caused,
  directly or indirectly to another firm
  (individual).
• Includes liabilities for
• - A computer virus inadvertently forwarded,
• - Failure to provide products (as contracted)
  because a hacker or virus stopped insureds
  delivery system,
• - Contents placed on the companys web-site
  (infringement of copy-rights),
• - Theft of information held about a third party
  such as credit card records.

19
Cyber-Risk Management Framework For Information
Security

• - Process of assessing risk, taking steps to
  reduce risk to an acceptable level, and
  maintaining that level of risk.
• - The value of the information vulnerable to
  threats also needs to be considered
• Value-Vulnerability Grid
• - Helps identify which information should receive
  the what level of security.
• - It categorize information from high to low for
  both value and vulnerability

20
Value-Vulnerability Grid
21
Next, reduce information security risk to
acceptable level.- Vary from organization to
organization, based partly upon the location of
information in the V-V grid.Two steps to reduce
risk1. Invest in protecting against the risk of
actual security breaches by installing firewalls,
encryption, access control techniques.2.
Acquisition of Cyber-Risk Insurance.
22

• 483 computer security practitioners in US
  corporations, government agencies, financial,
  medical institutions, universities participated.

23
(No Transcript)
24
Cyber-risk Management Framework for Information
security

• Cyber-Risk Management Process

25
Decision Plan
26
Conduct Information risk audit

• -Audit uncover firms information security risk
  exposure and place value on that exposure.
• -Assure that intrusion detection systems are in
  place to provide documentation on breaches.

27
Assess current insurance coverage

• Corporate executives review existing property and
  liability insurance policies.
• Review focus on gaps in Internet-related
  coverage in the current policies.

28
Examine and Evaluate Available Policies

• Better position to negotiate with their current
  insurance providers.
• Consider a firms potential losses and the
  security measures in place.

29
Select a Policy

• Select Policy appropriate for unique
  circumstances of a given firm.
• Policy should have desired additional coverage
  at an acceptable price.
• Companies should determine the portion of
  financial risk they want the insurance company to
  cover and the residual portion they willing to
  bear.

30
Conclusions

• - Information security risk highlighted by hacker
  attacks on high-profile US Web-sites, computer
  viruses, thefts, that caused considerable
  financial damage.
• - Companies invested heavily in security
  measures.
• No amount of security can prevent all breaches.
• Viable market has emerged for Cyber-Risk
  insurance to protect against financial losses.
• Insurance companies are uncertain about how to
  price their products, considerable room for
  negotiating prices with agents.

31
References

• http//www.computerworld.com.au/index.php/id10652
  7059relcomp1
• http//www.irmi.com/Expert/Articles/2001/Rossi02.a
  spx
• http//i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004
  .pdf