Category Archives: cyberrisk

Cyber Risk’s Dirty Little Secret

am_image

Meh, not so much.  I’m speaking of the “100% Secure” in the accompanying AshleyMadison.com image.  I apologize in advance if my chosen image this week may be a little risqué for some readers.  I just couldn’t resist.  Apparently, neither can many married folks who were clients of the AshleyMadison.com website whose marketing tagline is, “Life is short. Have an affair.”

News broke a few weeks ago that AshleyMadison.com had been hacked and that the hacker(s) threatened to release the site’s user data if the company didn’t fold up its online tent and shut itself down.  Engaging in illegal hacking activity in order to take a morality stand isn’t what I would consider the moral high ground, but the irony is apparently lost on the hacker(s).  Anyway, AshleyMadison.com called the hacker(s) bluff and the cards were laid on the table this week.  Thousands of cheating (or wanna-be cheating) spouses have been publicly outed.  I’m betting that this is a good time to be florist, jeweler, or divorce attorney.

As much fun as it is to revel in the misfortunes of unfaithful spouses, this event provides another perspective on the ever-evolving cyber risk front.  Risk managers and insurance professionals have been largely focused on things like stolen credit card data and corporate espionage.  Consumers of Target, Home Depot, Anthem Healthcare, et. al. have been largely mollified with free credit monitoring service in the wake of data breaches at those firms.  But how does a firm address cyber liability for a destroyed marriage or soiled reputation?  There are plausible defenses:  AshleyMadison.com customers were knowingly engaged in risky personal behavior and never should have expected that their actions would not be discovered.  On the other hand, if AshleyMadison.com boasted that it was “100% Secure” it would be reasonable for customers to assume that their extramarital activities were at least safe from moralistic hackers, even if they still had to find a way to lie and deceive their way around the actual, ahem, activity of the affair.

Oh my.  This blog post could go on and on, but let me just close by stating that cyber risk and cyber liability is the wild, wild west of the risk and insurance industry right now.  Begging forgiveness from Mrs. Crandall, my high school English teacher, we ain’t seen nothin’ yet.

Advertisements

Wanted: Cyber Insurance

wanted-cyber_insurance

Staying with the theme of last week’s post – which was an exercise in exasperation over the ongoing stream of high-profile data breaches – I decided to examine the insurance industry’s readiness/appetite to respond to this risk.  My conclusion?  The demand for cyber insurance is clearly surpassing the available capacity for such coverage.  That conclusion certainly isn’t a surprise to anyone, and the reasons given for limited cyber insurance capacity are logical.  Nevertheless, your humble blogger senses that there is reason to be concerned that the nascent cyber insurance market may not develop as risk managers hope and expect.

Insurance Journal reports that there are just a few insurers cautiously wading into the cyber insurance market at this time, and that their offerings are limited by policy exclusions and low limits of insurance.  Insurance buyers are seeking far more coverage than the insurance industry is ready and able to supply at this time, reportedly because the actuarial data is insufficient to properly model cyber risk and to price the risk appropriately.  More time and data is needed, experts say.  Red flag alert.

Underwriting more conventional risks such as property losses caused by fires and storms, or liabilities for slips/falls, will clearly benefit from mounds of historical data.   Fires, storms, and slip/fall hazards present relatively stable risks.  One can argue the nuances, such as improvement of flooring technology to reduce slips/falls, and better fire protection systems, but the inherent nature of fire, slips/falls, etc. are fairly constant.  Personally, I am not convinced that the cyber actuaries and underwriters are going to find anything close to a stable risk model for the cyber risk insurance products they are working on.

If we have learned nothing else over the past 20 years, we have learned that “internet time” passes by very quickly.  Just as we become comfortable and proficient with the latest technology, obsolescence sets in.  In my past life as a software developer, I spent a fair amount of time with my fingers in source code and I know just how quickly those coding skills atrophy simply because of the swift passage of time that brings about new software tools, methods, and insights.  The basis of many cyber risks is in the billions of lines of source code throughout our systems.  It stands to reason that just as the insurance industry grows comfortable with the cyber risk threat from an actuarial and modeling perspective, the target will have moved as the software and systems rapidly evolve – frequently with insufficient time to harden and protect the code from the creative attacks of hackers.

There should also be some concern over the extent to which cyber risk is or is not an insurable risk according to the textbook definition.  The insurance industry functions best when the law of large numbers can work across a multitude of similar exposure units, and when losses are independent and not catastrophic.  Geographic concentration of a book of business without adequate reinsurance in hurricane-prone locations has killed some insurance carriers in the past.  What might a particularly nefarious and unanticipated piece of viral source code do to the Fortune 500 and their cyber insurers if it proliferates through a common and previously unknown code vulnerability in common platforms such as Oracle databases or Cisco routers?

Cyber insurance is in great demand, and the headlines provide witness to why this is so.  The unanswered question remains, to what extent can and will the insurance industry have the capacity to meet this demand or will alternative risk management techniques be forced to fill the gap?  The cyber insurance market may well be even more challenging than the terrorism risk insurance market.

We live in interesting times.

Another Day, Another Data Breach

hacked

It’s no wonder that the cyber risk sessions at April’s Risk and Insurance Management Society Annual Conference were standing room only.  We’ve just learned that as many as four million people’s information has been breached on government computers.  This comes on the heels of an IRS admission that 100,000 taxpayers may have had data from past tax returns stolen.  These instances prove that even our government is far from immune to the dangers and failures that have plagued the likes of private sector giants, Target, Home Depot, and Anthem Health.

I don’t have a particular statistic to cite, but my fear is that we are seeing only the tip of the “data insecurity” iceberg.  How many small breaches of far less secure databases are occurring for each one of these high-profile, high-stakes breaches?  Even if there are not a multitude of smaller breaches occurring, the aforementioned highly visible breaches cast a pretty wide net.  I have no indication that I or my family have been caught up in the federal government’s latest data breaches, but between my wife and I, we are receiving complimentary identity protection services as a result of links to all three of the aforementioned private sector hacks: Target, Home Depot, and Anthem.

Perhaps the larger question should be (spoken with utter exasperation), “What in blazes is going on?!”

The explosion of the internet in 1990s ushered in an era of exponential connectivity and information sharing, which is generally a good thing.  Unfortunately, it seems apparent that the rapid expansion of connectivity has outpaced our ability to protect the valuable data that naturally results from all of this connectivity.  In our rush to automate and connect everything (and to benefit from the incredible productivity and wealth growth that results) have we put the proverbial cart before the horse?  Or is it just a fact of our new digital life that our vast connectivity of devices and databases means that data is going to be at risk to some extent no matter what we do?

No matter how these questions are answered, risk management and insurance are both going to play integral roles in the cyber risk world.  It looks to me like we’re in the midst of a “Wild West” sort of era – and my concern is that there is likely to be a shoot-first-ask-questions-later approach to our data systems and our risk management processes.  That tends to produce considerable collateral damage.