Maybe it’s my actuarial background, but I’ve always seen IT security as an activity that should work hand-in-glove with insurance. After all, both domains are about planning for, and if possible preventing, disaster. Both have trouble showing they are “working” until something really bad happens. Both therefore have to go to special efforts to make the case to a CFO for the expenses involved. And of course, insurance has a few centuries of experience that can teach us IT secfolks plenty. We like to think that our problems are so new, so unprecedented, but the insurance business has dealt with far stranger worlds than ours. (Jimmy Durante’s nose? Really? Why yes – they insured that too.)
So it was with some interest that I read of recent dysfunction in the relationship. Apparently Lloyd’s of London (no relation) have seen a big increase in requests for coverage, especially from SCADA industrial and power plants, but as they review applicants, they have refused most of them.
Now, let’s be clear about this: it’s not that the insurance “syndicates” (the sub-parts of Lloyd’s exchange who write the policies) find it scary. They handle scary for a living. They already write cyber protection policies for some. And it’s not that the area overall represents a level of risk they can’t handle – after all, these exchanges are exactly where you go when you want to insure against huge calamities, such as losing an oil tanker in the middle of a pristine ecosystem, or popping the cork on a deep sea well that you can’t close up again.
So why would they turn down so many applications – serious organizations, including parts of our critical energy infrastructure? Well, consider extreme sports – if that’s your thing, you can get insurance for that too. Unless, of course, the insurer knows you practice your sport in ways that just aren’t safe. You can’t just walk in off the street and buy a cyber insurance policy; wisely, the insurers want to review your security practices first, to see if your defensive strategy amounts to anything more than hope or a tin foil hat.
Don’t forget – the insurance companies want to take your money if they possibly can. For them to decide you’re just not insurable means you represent an existential threat to them. That may sound extreme, but it’s part of what makes insurance complicated – there’s such a thing as “too much success” in their business. Imagine you write a really attractive new kind of policy, at a great price, and loads of people take one out – so many, in fact, that at least some unfortunate people will immediately file claims, before you’ve had the product on the market long enough to get cash in to cover the pay-outs. (So in effect, if you go to Lloyd’s of London, and they look you up and down and send you on your way, you have to take that as a serious message – you’re just not doing what needs to be done to pass a basic inspection. Indeed, the good folks who make up the Lloyd’s exchange are very smart at what they do, but nobody takes them to be world experts on APT and the like – they don’t even work in IT security, and they can tell that our defenses aren’t good. It’s a sobering thought.
Security professionals can exploit this in two ways. First, it’s a great lesson to bring home the serious problems we face even adhering to the basics. Your executives have heard just about enough drumbeat about the Target breach by now – any given FUD card only works so many times. The fact that insurance companies – well respected by every business-centric executive – look at this kind of risk transfer and say “no, thanks” is a pretty clear indicator that something’s rotten in the state of Denmark (or wherever you happen to find yourself). “The sad truth is our defenses – and I’m talking here about critical infrastructure – don’t even pass a basic sniff test from actuaries who would like to take our money. You already know that, of course; every security professional I talk to knows that. But executives can still be slow to get it, so this strong external endorsement, coming from people famous for their level-headed, no-nonsense approach to the facts can be really useful.
Second, the whole discussion brings up a perennial good question: how can you go beyond just doing some good security to actually showing someone outside – someone probably not as technically savvy – that you’re being effective? That is, how can you measure your attack-readiness, and your steady improvements in it? I may have some suggestions on this point, but you’d expect as much.
Oh, and as for Lloyd’s of London, I said “no relation”, but it wouldn’t help me all that much if there were. Edward Lloyd was just a guy who ran a coffee shop in which merchants and dealers would hang out, talk shop, and eventually buy and sell insurance. The operation (not technically a “company”) just kept his name. So when I make my morning cup of Joe, sometimes I think of my place as “Lloyd’s of California” – it’s just a bit quieter than a 17th century bar full of sailors.