A few months ago, one of the large US insurance companies ran an advertorial in a business magazine promoting a “new” cybersecurity policy. Around the same time, commentators in the blogosphere and the media were covering the launch in the UK of the Cyber Information Sharing Partnership.
I read both events as a sign that IT security continues to mature and move up in the priority list of both insurers and the government who seem to be taking more seriously the risk posed by IT Security threats to the nation. However, this presents a new and important conundrum:
Does critical national infrastructure (CNI) require an insurer of last resort to offer financial support after a major incident i.e. an organisation that could provide a similar service to that of the Bank of England or the Federal Reserve in the USA that act as lenders of last resort during financial crises?
I would strongly oppose such a move on the basis that this would create a moral hazard. Borrowing from Wikipedia: “a moral hazard is a situation where a party will have a tendency to take risks because the costs that could result will not be felt by the party taking the risk”.
The existence of an insurer of last resort would outweigh any potential benefits, as it might (or actually would?) encourage the many organisations classified as critical infrastructure to underinvest in risk management processes and risk mitigation solutions, including IT Security programs and the applicable tooling.
On February 2014, the BBC ran an article about insurance companies refusing to cover power companies for IT Security-related attacks as they former deemed the defences of the latter ones as too weak. This, according to the BBC, followed a “huge increase” in demand for insurance coverage from energy firms.
It is unlikely that the overall IT security threat is on the increase –even if the perception created by the media is that the risk is indeed increasing. Instead, there are several developments taking place.
One is the attempted transfer of the risk created by underinvestment in IT defences to the underwriters, accelerate by the perception that the risk is going up. Another one is that even properly defended IT networks are still vulnerable to attack, thus, leaving the risk to the CNI still too high for a traditional underwriter to cover.
One option to insure the CNI against IT security risk is to start by assuming that it is not possible for the underwriters to insure in full against IT security risk. The insurance companies could offer partial coverage with a capped level of monetary liability.
However, they could attach two strings to the policy. First, CNI organisations would have to successfully complete quarterly audits using applicable frameworks like NERC in the USA. This would require having the CNI organisations increasing their investment in an IT security programme and tooling possibly funded by a slight increase in prices.
And second, both the government and the CNI members should continue to develop threat scenarios and fire drills against those scenarios to defend and restore the CNI after an IT Security incident.
Insurance policies and monetary pay outs will not restore a breached section of the CNI; only trained individuals working according to a well-tested disaster recovery plan can. However, some of the threat scenarios can be avoided in the first place, and the insurance costs reduced, by measuring, managing and mitigating IT security risk.
What’s your opinion on this issue? Please share in a comment below…
- Attention General Counsel: Do You Know Your DDoS from Your APT?
- Target and the Security Liability Blame Game
- Board Dynamics: Do BoDs Understand the Impact of Cyber Attacks?
- The Role of Security in Creating a Standard of Due Care
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock