There is a growing gulf between those who think insurers should give discounts to those who follow “best information security practice” (whatever that is) and underwriters who have been burned by breaches at US retailers (for example) with supposedly “mature” approaches to security. “Cyber” is now routinely deleted from mainstream theft, business continuity, libel or product, professional or director’s liability insurance and underwriter are more concerned whether the operation is at risk of a sophisticated attack using insiders (innocent or otherwise) to bypass technology-based defences.
Most of the policies on offer cover only the cost of implementing a pre-agreed incident management plan: e.g. to minimise the damage when customer data, content and intellectual property right are compromised or a network or cloud goes off air, whether as a result of criminal activity, terrorism or digititis. The reason is the cost of recent US data breaches: $200 per record compromised: to notify those at risk, reissue credit cards and make the changes necessary to retain PCI-DSS status. There is also a test case which implies that, in the absence of evidence of actual financial loss, $1,000 (or pounds) is a reasonable figure for the hassle and distress to an individual whose personal information has been compromised. Now consider the potential cost of a data hack on an organisation where the identity of the users, let alone their credit cards, personal records or transactions is sensitive – such as : AshleyMaddison.
For all the talk of “Big Data” being the new “Oil” and “Cloud” being the way forward, it is now almost impossible to get insurance cover for the potential third party risk taken on by those who accept liability. And why should any of us trust those who do not .[Hence also the big question mark over the value, if any, of identities issued or recognised by government]
Now let us take a quick look at the murky world of product liability where software has long been excluded as ‘service” not a product” but is increasingly embedded in products. The well-publicised use of hacking into an in-car entertainment system to take charge of many of the controls illustrates the risks now being run with the world of interconnected (and insecure) everything. No wonder insurers are steering well clear.
Meanwhile the value of using “Big Data” to support the current surge in on-line advertising has been called in question by reports showing that almost half is blocked and three quarters is designed for PC users while well over half the target audiences already spend most of their time using smart phones. The backlash is under way.
That message has yet to spread from insurers to the world of “Big Data” enthusiasts, eager to collect everything possible about current or would-be customers. But the EURIM (now DPA) studies before the 2010 election on the Unlocking the Value of Information and Security by Design are now most apposite. The current DPA exercise on the use of data minimisation routines for Age Verification has strong government, as well as growing industry support: see the Hansard report of the ministerial response on the second reading of Baroness Howe’s Online Safety Bill 2015.
The good news is that players like IBM and BT are making massive investments in security training and services, not just security technology. The figures for IBM are not public but BT already employs six times as many full time security staff (3,300 in total, 1,700 the Security Division) in as Google (500) and its Security Academy (lead sponsor of the Cyber Security Challenge schools challenge) is by far the UK’s biggest “cybersecurity” trainer outside GCHQ and the Defence Academy.
Hence the importance of the Long Finance “Cyber Catastrophe Reinsurance” study to the wider “Digital” Community, not just to the participating insurers and those who work with them to help manage and reduce risk – as opposed to those who merely sell cyber-security snake oil to the rest of us.