What do these have in common: Obamacare, Trumpcare, Cybersecurity Insurance?

Obamacare and Trumpcare aren’t the only insurance plans in the news these days, though they do seem to suck the oxygen out of most media outlets. Russian cyber attacks to influence the United States presidential election have consumed much of the remaining column inches, but there has been recent news about cyber-insurance — insurance companies could use to reduce the impact of cyber attacks. Or maybe not.
Lloyds of London and cybersecurity firm Cyence released a report looking at the potential costs of large scale cyber incidents, and analyzing how effective current cybersecurity offerings would be in capping risk for policy-holders. Spoiler alert: not very.
The report looked at two large scale cybersecurity incident scenarios:
- An attack and compromise of a major cloud service provider.
- Cyber-attackers exploiting a vulnerability in widely used software, such as Microsoft Windows.
The first scenario is known as an aggregation risk: if many companies are using a common cloud service provider, such as Amazon AWS, Microsoft Azure, Salesforce.com, etc. the impact of a successful compromise would be huge — as high as $53B in the Lloyds report. Luckily, we haven’t seen an attack of this scale succeed — yet. The report concludes that cyberinsurance would cover only between 13–17% of that cost.
The second scenario is a common one, with the recent Wannacry and Petya attacks causing widespread impact. Lloyds estimates losses from a large scale vulnerability driven event to be between $9.7B and $28.7B and estimates that only 7% of costs would be covered by cyberinsurance.
This report underscores why (like health care reform) there is a lot of talk about cyberinsurance, and growing spending on it, but few if any success stories. There are several reasons why that isn’t going to change anytime soon.

Before civil and mechanical engineering existed as actual engineering disciplines, people building things like railroad bridges or other structures had no real idea how much weight they could support. It was common to test railroad bridges by filling the tracks with locomotives, which were the heaviest type of rail car. If the bridge didn’t fall down, it was probably safe enough.
Once tables of material strengths for steel and concrete and handbooks of common designs such as arches and trusses were developed, paper designs for bridges could be evaluated against the predicted load they would need to carry — enabling auditors and regulators to approve use and also alloowing insurers to estimate risk and set insurance policy premiums.
Software development today is pretty much where bridge building was in the early 1800s. Software engineering is an oxymoron. Since no one can tell if an application is “strong” enough for its intended use, it is pretty much a crap shoot if it will fall to even the simplest of attacks.

But “software engineering” isn’t the only oxymoron at work here. The vast majority of cyber-attacks are enabled by tricking a user into giving away his or her password, commonly called “phishing.” If you have ever gone to a casino and seen people feverishly pulling the slot machine levers under the sign that says “These slots pay back 95%!!” you know that the human species is a hopeful species and willing to ignore a lot of evidence to the contrary. This is a good thing for people opening up new restaurants or high-tech startups, or for the hopes of average guys asking out beautiful women. It is not so good for the ability to protect systems when users freely give away their passwords or other sensitive information. “Human engineering” is the other oxymoron that undermines the ability of cyberinsurance to be more like home insurance or car insurance and actually cap or transfer risk.
The best form of health insurance is following basic security hygiene (wash your hands! eat more fruits and vegetables! exercise more!) and avoiding illness — and avoiding as many health problems as possible. Turns out the same is true for cybersecurity — basic security hygiene can avoid or mitigating the majority of vulnerabilities that attackers exploit to breach systems and cause the damage Lloyds discusses.
So: wash your cyber-hands! Lots of information on how to do this is published by the Center for Internet Security here and by the SANS Institute here. Twitter-worthy “Twelve Word Tuesday” on this topic here with some additional pithy analysis in SANS Newsbites.
