[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Weisses Haus empfiehlt "Cybersecurity"-Versicherung
White House Pushing Cybersecurity Insurance
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, June 27, 2002; 1:35 PM
Companies in every sector of the U.S. economy may soon find it difficult
to operate without cybersecurity insurance, an evolving form of coverage
that the Bush administration hopes will be instrumental in steeling the
nation's information technology infrastructure against attack.
In closed-door meetings with insurance industry leaders last week, White
House officials laid the groundwork for a joint public-private sector
working group to identify obstacles that may be preventing insurers from
writing more cybersecurity policies.
"We've asked them to come up with ideas about things the government
could do that would make it easier for the insurance industry to provide
more coverage," said Richard Clarke, the White House cybersecurity
adviser. "We also asked them to look at ways in which the insurance
industry can work together with the government to increase corporate
awareness of the problem."
The White House strategy - set in motion under the Clinton
administration - holds that as malicious hacker attacks and computer
viruses become more destructive and costly, businesses will seek
insurance coverage for their commercial data and other computer-based
The administration's plan borrows a page from the evolution of fire
insurance at the turn of the 20th century, when insurers worked with
industry to reconcile competing electrical and fire safety standards.
Businesses that did not take certain fire precautions were largely
The White House believes the same dynamic will evolve in the Internet
security arena: In an effort to minimize losses, insurers will confer
with leaders in the technology industry to set minimum standards for
network security practices and - by extension - products used to enforce
Robert Hartwig, chief economist for the Insurance Information Institute
in New York, said that transformation is already underway. He estimates
that the market for cybersecurity insurance will reach $2.5 billion in
premiums by 2005.
"Businesses will soon purchase this in the same way they buy property
insurance," Hartwig said "They wouldn't think of not insuring the
buildings they're in, and soon they won't go without insuring the value
of their computer systems."
A Risky Business
Only a handful of insurers currently offer cybersecurty policies.
Coverage areas now include theft of data, denial-of-service and virus
attacks, Web site defacement and subsequent outages, credit card fraud
and cyber-extortion. A few policies even cover accusations of online
libel and slander.
Yet, as with other new types of coverage, the amount of coverage
available is limited. In addition, cyberinsurance premiums can be
prohibitively expensive for many companies, in part because insurers
don't have enough experience and information to assess the financial
risks associated with such policies.
And if insurers have trouble accurately assessing the loss from
intrusions, companies also are likely to have trouble determining
whether cybersecurity insurance is a smart investment, said Bill Budde,
managing director for global insurance at EDS Corp.
"Right now, it seems difficult from a buyer's perspective to understand
what they're purchasing," he said. "Ultimately, companies have to be
able to figure out if it's worth the coverage cost," or if it would be
simpler and cheaper to self-insure.
To further complicate the equation, damages that companies incur from
hacker attacks can be difficult to quantify, Budde said.
"Maybe a company loses customers because an attack brings its site down
for a few hours, but that's a loss that's sometimes hard to prove," he
Businesses have been notoriously reluctant to report network
vulnerabilities and intrusions, leaving insurers with a dearth of data
to use in evaluating risk and offering coverage.
According to a report released by the FBI in April, 90 percent of
businesses and government agencies suffered some form of cyber attack
within the past year, yet only a third of those businesses reported the
incidents to law enforcement.
"If you're insuring automobiles, you can anticipate that there will be a
certain number of accidents out of a given number of drivers, so you
know what your loss exposure is," Clarke said. "With cyberinsurance,
there's not a lot of data that allows anyone to make that kind of
The administration strongly supports an effort in Congress to exempt
from public disclosure certain information that companies share with the
government on computer vulnerabilities. Many companies have said they
would be unwilling to disclose such data without such protections.
Technology Is Half the Battle
All of the major carriers offering cybersecurity coverage use
independent security companies to probe a candidate's network defenses
before granting a policy. As insurers become more familiar with IT
security, the auditing process should begin to drive the development of
more secure software, said Elad Yoran, founder of Alexandria-based
Riptech Inc., a company that performs security testing for potential
cybersecurity insurance clients of American International Group (AIG).
"A company's ability to afford this insurance is going to hinge on the
types of security infrastructure they've implemented," Yoran said.
"Premiums will be significantly lower for organizations that implement a
vigorous defense posture and well-tested security products."
In the meantime, the Bush administration is asking some of the biggest
buyers of IT security goods to demand more from technology vendors.
"We've been getting together with customers, sector by sector, and
asking them why they continue to buy software that has these security
problems," Clarke said.
Bruce Schneier, founder of Counterpane Internet Security in Cupertino,
Calif., said such steps don't change the fact that improving security
remains a losing proposition for technology companies.
"What are the costs of improving security? It's expensive, users lose
functionality, and they get annoyed," Schneier said. "What are the costs
of ignoring security? Occasionally, you may get some bad press. So the
result is, you do what everyone else does, and nothing more."
Schneier said technology firms aren't likely to improve the security of
their products until they begin to face product liability lawsuits or
more stringent laws.
"Security follows the money, and if there isn't any financial incentive
for companies to be secure, they're not going to," he said. "Doing
anything else wouldn't make any business sense."
For now, the administration is determined to take a non-regulatory
approach to the matter, Clarke said. The working group is expected to
issue its recommendations in August, a month before the White House
plans to release its national strategy for protecting the country from
The administration is also talking with the insurance industry about
whether potential cyberterrorist attacks on the nation's infrastructure
would be exempt from coverage under the new policies. Most insurers
treat terrorist attacks as acts of war, which insurance companies
generally don't cover.
In the end, it may take a punishing, industry-wide cyberattack before
companies begin to seriously consider cybersecurity insurance, said
Hartwig of the Insurance Information Institute.
"Unfortunately," Hartwig said, "the best advertisement for this kind of
product is going to be the next malicious and well-publicized attack."
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.