Debating the Maturity of Cyber-Insurance

What Role Should It Play in NIST Cybersecurity Framework?

By , July 29, 2013.
Debating the Maturity of Cyber-Insurance

The team developing the cybersecurity framework that President Obama ordered is considering incorporating cyber-insurance as a component of the plan, says NIST Director Patrick Gallagher.

See Also: Automate and Standardize your IAM to Radically Reduce Risk

But Gallagher and others addressing the cybersecurity framework say the cyber-insurance marketplace hasn't matured to the point where large, critical infrastructure operators can transfer a significant portion of their cyber-risks to insurers [see NIST Unveils Draft of Cybersecurity Framework]

"You need to monetize the risk; this comes down to measuring and understanding and developing an actuarial basis for this risk to be imbedded into the market," Gallagher said at a July 25 hearing on the cybersecurity framework held by the Senate Commerce, Science and Transportation Committee. "This discussion has come up quite frequently in the framework process, and I think as part of the metrics discussion this is something being looked at and something that would be quite helpful."

Limits of Cyber-Insurance

But witnesses testifying at the hearing, none from the insurance industry, expressed doubt that insurers can take on the risk for insuring against the most catastrophic attacks envisioned, at least not by the time when the cybersecurity framework is issued in February. A draft of the framework is due in October

President Obama, in an executive order, ordered the National Institute of Standards and Technology to lead a government-industry initiative to create a cybersecurity framework of best practices that the owners of the nation's critical infrastructure could voluntarily adopt [see Obama Issues Cybersecurity Executive Order]. The leaders of the Senate panel have introduced legislation to codify Obama's executive order [see Bill Endorses Obama Cybersecurity Plan]. A committee vote on that bill could occur as early as the coming week.

At the hearing, Sen. Richard Blumenthal, D-Conn. questioned why the insurance marketplace isn't ready to handle massive claims from devastating cyber-attacks when it insures against calamitous storms, which in the past few years have created economic disruptions in parts of the country.

"The [cyber] threat has been here for well long enough to monetize and do the actuarial accounting," said Blumenthal, whose state is headquarters for a number of insurers. "The insurance companies are very mindful about the potential threats of hurricanes in the Northeast, which are about as difficult to monetize as I guess that of the cyberthreat, in fact more so, because we know the cyberthreat is there; we know some of the damage that can be caused."

Protecting the IT Environment

But Art Coviello, chief executive of the security firm RSA, disputed Blumenthal's assessment, saying it's more difficult to create actuarial tables and algorithms around cyber-incidents than natural disasters for two reasons: ever-changing computing platforms and the escalating amount of data being created. "The complexity of protecting the fast-changing IT environment is overwhelming," Coviello said. "That's why the framework is so important."

It's not just the increasing sophistication of attackers but the attack surface - the platforms businesses operate on - that present a challenge. "The iPhone didn't even exist till 2007; six years later we have full mobile ubiquity," Coviello said. "We used very few web apps to run our businesses as recently as 2005, 2007; now, the common refrain is, 'There's an app for that.' In another six or seven year, we'll be using big data applications to monitor everything about us and the world around us."

Another challenge Coviello sees in monetizing potential losses from cyber vulnerabilities is the stratospheric amount of digital content being generated, quantities unimaginable just a few years ago. "There was a quarter of zettabyte being created in 2007," said Coviello, who calculates that one zettabyte is the equivalent of 4.9 quadrillion books. "This year there will be 2 zettabytes. By 2020, there will be 40 to 60. That amount of content needs to be sorted through to determine what exactly needs to be protected."

That makes valuing losses from cyber-attacks and vulnerabilities difficult to calculate. Insurance is a risk-transfer tool where someone else - the insurer - absorbs some of the risk. For that to occur, both parties need to understand the risk and determine its value.

Few Comprehend Consequences of Risk

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Securing Federal Data on Nonfederal Systems

Spurred, in part, by cloud computing, the amount of federal data finding its way onto computers...

Latest Tweets and Mentions

ARTICLE Securing Federal Data on Nonfederal Systems

Spurred, in part, by cloud computing, the amount of federal data finding its way onto computers...

The ISMG Network