By: Rony Roy, BCA 4th Sem, 1st Shift
Today, executives are acutely aware that their information is under constant attack as cyber threats become more pervasive, persistent and sophisticated. Cyber insurance to cover losses and liabilities from network or information security breaches can provide incentives for security investments that reduce risk. Although cyber insurance has evolved, industry has been slow to adopt it as a risk management tool. Individuals, businesses, and other organizations routinely use insurance to help manage risks. They buy insurance policies to cover potential losses from property damage, theft, and liability that they can’t or don’t want to bear alone. Insurance carriers’ offerings have evolved to address increased demand (such as directors’ and officers’ liability), new perils (such as loss of intellectual property), and previously uncovered risks (such as college students’ property losses).
Today, executives are acutely aware that their information is under constant attack as cyber threats become more pervasive, persistent and sophisticated. Cyber insurance to cover losses and liabilities from network or information security breaches can provide incentives for security investments that reduce risk. Although cyber insurance has evolved, industry has been slow to adopt it as a risk management tool. Individuals, businesses, and other organizations routinely use insurance to help manage risks. They buy insurance policies to cover potential losses from property damage, theft, and liability that they can’t or don’t want to bear alone. Insurance carriers’ offerings have evolved to address increased demand (such as directors’ and officers’ liability), new perils (such as loss of intellectual property), and previously uncovered risks (such as college students’ property losses).
IT security has traditionally referred to technical protective measures such as firewalls, authentication systems, and antivirus software to counter such attacks, and mitigation measures such as backup hardware and software systems to reduce losses should a security breach occur. In a networked IT environment, however, the economic incentives to invest in protective security measures can be perverse. My investments in IT security might do me little good if other systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on others. In economic terms, the private benefits of investment are less than the social benefits, making networked IT security a public good and susceptible to the free-rider problem. As a consequence, private individuals and organizations won’t invest sufficiently in IT security to provide an optimal (or even adequate) level of societal protection.
Benefits of Cyber Insurance
In other areas, such as fire protection, insurance has helped align private incentives with the overall public good. A building owner must have fire insurance to obtain a mortgage or a commercial business license. Obtaining insurance requires that the building meet local fire codes and underwriting standards, which can involve visits from local government and insurance company inspectors. Insurance investigators also follow up on serious incidents and claims, both to learn what went wrong and to guard against possible insurance abuses such as arson or fraud.
Insurance companies often sponsor research, offer training, and develop best-practice standards for fire prevention and mitigation. Most important, insurers offer lower premiums to building owners who keep their facilities clean, install sprinklers, test their control systems regularly, and take other protective measures. Fire insurance markets thus involve not only underwriters, agents, and clients, but also code writers, inspectors, and vendors of products and services for fire prevention and protection. Although government remains involved, well-functioning markets for fire insurance keep the responsibility for and cost of preventive and protective measures largely within the private sector. As with fire insurance, the prospective benefits of well-functioning markets for cyber insurance can accrue to stakeholders both individually and collectively.
They include:
- A focus on market-based risk management for information security, with a mechanism for spreading risk among participating stakeholders.
- Greater incentives for private investments in information security that reduce risk not only for the investing organization but also for the network as a whole.
- Better alignment of private and public benefits from security investments.
- Better quantitative tools and metrics for assessing security.
- Data aggregation and promulgation of best practices.
- Development of a robust institutional infrastructure that supports information security management.
Thus cyber insurance can, in principle, be an important risk-management tool for strengthening IT security and reliability, both for individual stakeholders and for society at large.
But are these prospective benefits realistic and achievable?
It is likely, as security expert Bruce Schneier expects, that:
“[T]he insurance industry [is] going to move into
Cyber insurance in a big way. And when they do,
they’re going to drive the computer-security industry…
just like they drive the security industry in
the brick-and-mortar world”
0 comments:
Post a Comment