Can insurance be a game changer for cybersecurity?


16 April 2017
Halvar Flake at BlackHat Asia 2017

Cyber insurance could be a game changer in the cybersecurity space, with the potential to upend an enterprise buyer-IT vendor relationship which is currently heavily weighted in favour of the latter.

Sharing his views on “Why we are not building a defendable Internet” at BlackHat Asia 2017, Google’s Halvar Flake noted that the supply side of IT is “insanely scale-driven” and that “almost no enterprise has any meaningful influence on what they buy and deploy”.

In an idealised scenario, he said, a chief information security officer (CISO) creates requirements for IT security, communicates this to suppliers, and the hardware and software vendors and system integrators find out how to build systems that meet the needs of the enterprise in terms of security.

The reality, however, is that enterprises have insufficient market power to enforce any change on that side of the equation. “Very few companies can go to Intel and say ‘we would like this changed’. Most enterprises buy hardware and software from suppliers but have little choice and very little input in terms of design, so the CISO has even less.”

Cybersecurity vendors enter the picture to provide a “stop-gap” solution. “Cybersecurity vendors sell us an approximation of what we would like to have,” said Halvar. “However, most security products combine two negative characteristics: They are trivial to bypass by an attacker that does any form of quality assurance, and they combine lots of highly-privileged attack surfaces.”

So why is there a market for products that most experts agree are not that useful?

Halvar puts it down to this: “For a CISO, the biggest risk is to be seen having forgotten a risk, so the solution is often a portfolio purchase – buy one from each product category.”

“You have to show that you have seen all the risks, so you need something for intrusion detection, something for loss prevention.... The product just needs to look like a reasonable choice.”

The result, he said, is a proliferation of new product categories in a market that is full of security products that work “only by the grace of the attacker not testing against them”.

In this imperfect world, insurance could be a game changer under certain circumstances, said Halvar.

Cyber insurance offers to mitigate some of the costs resulting from a breach, for example, the cost of incidence response and cost of cleanup.

Insurers have - or can buy - the expertise to tell good security products from the lemons, and offer lower premiums to customers that deploy secure products. That could change cybersecurity from being a cost centre and make a difference to the organisation’s cash flow, said Halvar. “With a difference in premiums, good security could have an immediate financial impact.”

And if everything goes right, cyber insurance could even bundle market power. “Enterprises have no power as individuals, but if insurance were to offer reduced premiums for defendable IT and bundle market power, there could a concerted demand for better security systems.”

There are, of course, possible negative outcomes as well, such as insurers mandating the deployment of ineffective products and reducing cybersecurity once again to an exercise in checkboxing, or cyber insurance itself becoming yet another product category in the product portfolio purchasing scheme.

From the insurers’ point of view, cyber insurance is an exciting new market with huge growth opportunities. According to a report by Allied Market Research, the global cyber insurance market is expected to generate US$14 billion by 2022.

However, underwriting cybersecurity risks presents formidable challenges for the insurance sector. Cyber risks are hard to quantify, and few insurance companies have sufficient expertise to do this well, said Halvar.

For one thing, insurers are hindered by the scarcity of historical data. “We have data about earthquakes and floods, but very little about cybersecurity. And data from six years ago may be a poor predictor for cybersecurity risk today.”

With cybersecurity, there is also the possibility of having a lot of risk blow up at the same time. “When there is an underlying condition that was not previously diagnosed, once it is diagnosed everyone is affected.”

He cited the example of incident clusters where APTs with non-disinfectable backdoors are technically feasible, and a possible course of action would be to replace all devices, so everything could get very expensive very quickly.

Many insurers today are just underwriting cybersecurity without fully understand the risk, said Halvar. “And as IT grows exponentially, so does IT risk.”