Cybersecurity legislationCybersecurity insurance gains more adherents
With so many large U.S. companies suffering security breaches — and with companies losing an average of $234,000 per breach in 2009 — more consideration is being given to cybersecurity insurance; a crashed server policy is not as easy to write as a crashed car policy
After a year of high-tech breaches at some of the U.S. biggest companies, a provision in a Senate bill calls on the White House to encourage a market for cybersecurity insurance to protect businesses from debilitating costs brought on by hacking and compromised information.
The bill, introduced by Senators Jay Rockefeller (D-West Virginia) and Olympia Snowe (R-Maine) says the president or his appointee must report to Congress on “the feasibility of creating a market for cybersecurity risk management” one year after the bill’s passing.
Pittsburgh Post-Gazette’s Erich Schwartzel writes that a crashed server policy is not as easy to write as a crashed car policy. Many businesses are deterred by an application process described as appropriately exhaustive but forever imprecise.
The process is complicated by the tricky nature of monetizing data. Web experts always have held that “information wants to be free.” How much is it worth when it is stolen, though?
Companies lost an average of $234,000 per breach in 2009, a recent report by the Computer Security Institute in New York found. But a report released last week by the Carnegie Mellon CyLab found that 65 percent of its Fortune 1,000 respondents were not reviewing their companies’ cybersecurity policies.
Schwartzel notes that cybersecurity insurance has been a topic in Washington since the Clinton administration, and in 2002 cybersecurity adviser Richard Clarke met with insurance executives to encourage a more strident approach to convincing businesses to sign up.
More recently, President Barack Obama named Howard Schmidt White House cybersecurity coordinator, but any move toward cybersecurity coverage in Pennsylvania has not been “significant,” state officials said.
Cybersecurity bills introduced by various senators signal this to be a banner year for cybersecurity legislation. A bill introduced by Senator Joseph Lieberman (I-Connecticut) seeks to establish a National Center for Cybersecurity and Communications under DHS. Some analysts expect the bill to merge with the Rockefeller bill at some point.
Political encouragement of a cyber insurance industry could lead to increased security practices at American business, said Greg Nojeim, senior counsel at the Center for Democracy and Technology in Washington, D.C. Rather than require uniform government standards for security, the White House could encourage cyberinsurance and then watch as companies increase security in order to get lower premiums. Safeguarding company computers would lead to lower premiums, much like a sprinkler system will reduce your monthly fire insurance bill, he said.
“Cyberinsurance is seen as a way to get to a more secure world, without a heavy-handed government mandate that could stifle innovation,” he said.
Schwartzel writes that insurers can deny coverage to companies with subpar servers or firewalls — the virtual equivalent of a pre-existing condition. Indeed, an application for cyber insurance requires, among other things: an inventory of company software, a history of targeted threats, a dissection of hiring policies, a roster of IT personnel and questions like, “Are passwords required to be at least seven characters in length, alpha-numeric, and free of consecutive characters?” (Check yes or no.)
Cybersecurity insurance has been in the market for about six years, but only recently has gained traction as prices have come down, said Bob Miller, a vice president at Liberty Insurance Agency in Scott. He’s the “esoteric guru” at the company who deals with nontraditional coverage.
Companies used to charge well over $100,000 for a policy, and $50,000 deductibles were common, he said, because data on breaches was so scant and potential losses unknown.
Now policies are available for less than $10,000.
Applicants must break down loss estimates on an hourly basis, since most breaches are resolved in hours and not days. The loss amount is “not as easy to guess as somebody who’s making widgets,” he said.
Fear of a public relations nightmare leads many companies to keep breaches private; the Institute found less than 25 percent of its survey pool agreed to disclose the amount lost.
That kind of secrecy is common, experts say. Web sites that work with credit are required under law to notify all customers of the breach. Breach notification costs are estimated to range between $30 and $100 per customer.
Jody Westby, a researcher who worked on the CyLab report that indicated board negligence, said the insurance provision in the cybersecurity bill was a mandate by an ill-informed Congress. “This is interventionist, regulatory, heavy-handed action by Congress,” said Westby. “This isn’t anything that Congress is going to fix,” she said. “It’s something boards in America need to fix.”
Mandating online business protocol could isolate American practices from other countries, she said. “We think because we invented the Internet, we control it,” she said. “We don’t. We gave it away.”