Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Businesses

Cyber Attacks Set To Become 'Uninsurable,' Says Zurich Chief 96

The chief executive of one of Europe's biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become "uninsurable" as the disruption from hacks continues to grow. From a report: Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector's ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100 billion. But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch. "What will become uninsurable is going to be cyber," he said. "What if someone takes control of vital parts of our infrastructure, the consequences of that?"

Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives. Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: "First off, there must be a perception that this is not just data ... this is about civilisation. These people can severely disrupt our lives." Spiralling cyber losses in recent years have prompted emergency measures by the sector's underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses.
This discussion has been archived. No new comments can be posted.

Cyber Attacks Set To Become 'Uninsurable,' Says Zurich Chief

Comments Filter:
  • by bferrell ( 253291 ) on Tuesday December 27, 2022 @01:16AM (#63160594) Homepage Journal

    When the company (and the C level execs) have to explain the loses to shareholders, they MIGHT actually take steps to avoid the attacks aor defend against them properly

    • ... take steps to avoid the attacks ...

      This requires some agent exist that can certify that best practices have been followed, which requires another agent to determine what are the best practices. Application/OS software-security is a moving target, so that is very difficult. Insurance firms failed to respond to the warnings of poorer countries driving cyber-crime, or of global warming: Thus, the rules are being changed so they don't have to pay.

      This may mean the end of insurance, meaning only mega-corporations will survive any crime-wave o

    • by mjwx ( 966435 )

      When the company (and the C level execs) have to explain the loses to shareholders, they MIGHT actually take steps to avoid the attacks aor defend against them properly

      This. When it's cheaper to mitigate the effects than prevent the problem in the first place, the C level will always go for mitigation.

      I honestly think we need to bring in hard punishments for the kind of negligence that results in ransomware or cyber attacks. When some C-levels are sitting in Federal PMITA prison, then the rest will think twice (unfortunately, it'll be about how to blame the problem on someone more junior, see: the dieselgate saga).

    • by jmccue ( 834797 )

      If only you were right. Being in the holidays and with a New year approaching, I think you are a bit optimistic :)

      You really know what will happen, the C level execs will blame and fire the Cyber Security person who became a PITA by trying to tell them the need to spend real money to fix the problem.

      • by MeNeXT ( 200840 )

        Yes and they will hire the Cyber Security person that was fired from company B and start all over until they run out of money. Then they will hire some student that followed a computer course in university and the company will close on the next intrusion. The level C execs will then cry how they can't find decent employment because of age discrimination.

    • I couldn't disagree more. Insurance is used to manage risk not eliminate it. The core problem is that there are no IT "solutions" to cybercrime. The capabilities and implications are asymmetric; the perpetrators face a very low risks and have a much easier task than the defenders. Not only that, but so much business-critical software is now in the SaaS realm that many of the better defense strategies are now out the window.

      My company just moved our accounting software to the cloud, and our phone systems to

      • No, they actually fired or drove off the expertise... "It wasn't important or core to the business"
        No my first rodeo and I've watched this go on for 40 years.

        THEY use insurance to pad their stupidity

    • by EvilSS ( 557649 )
      Yes! This is the reason why uninsured drivers are the best drivers on the road.
    • by tlhIngan ( 30335 )

      When the company (and the C level execs) have to explain the loses to shareholders, they MIGHT actually take steps to avoid the attacks aor defend against them properly

      This requires some agent exist that can certify that best practices have been followed, which requires another agent to determine what are the best practices. Application/OS software-security is a moving target, so that is very difficult. Insurance firms failed to respond to the warnings of poorer countries driving cyber-crime, or of global w

      • log4shell, shellshock and heartbleed were all dues to halfway devs using code they didn't fully understand... Just grabbing something "off the shelf" and running it in a corporate environment, selling it as though it had been "hardened"... And it hadn't been. Yeah, if you want to run a small shop and behave that way, you may well be sued out of existence if you're not very careful about how you run things.

        "Move fast! Break things" can't be an exemplar anymore... And never should have been.
        It was the ultim

  • and you can't make any more money.

    Hopefully, the insurance industry will slowly stop insuring many things until they fold up and disappear.

    Maybe get the almighty government involved and force them to insure cyber attacks.

    • by Anonymous Coward
      That would be a pretty fucked up result. While the insurance companies are pretty evil, they are a necessary evil.
    • by jhoegl ( 638955 )
      Governments dont need to insure cyber attacks. Cyber attackers need to be held to account, and those countries that house them. If the countries wont address the issue, then the countries affected should block them from access. Imagine a country being denied access to all of Europe and the USA on the internet.
      • A better threat: Imagine such a country being cut off from international banking and trade.

        The countries we're talking about are already curtailing their citizen's access to internet resources themselves, it's not like sanctions in this area would do them any harm.

  • by Anonymous Coward

    I've seen several companies buy cyber insurance now and every single one of them involves their bean counters to figure out what the absolute minimum is they have to change or fix to get coverage with an acceptable premium. i.e.: it's not about protecting customers and their data, it's about cost control.

    Given the number of large scale breaches in recent years I'm not at all surprised that insurance companies, which operate at the same level of honor as bookmakers and organized crime (but still have to answ

    • i.e.: it's not about protecting customers and their data, it's about cost control.

      That is inevitably what insurance is for.

  • nothing is uninsurable; however, the premiums and audits may become unaffordable.
    • Re:not uninsurable (Score:5, Insightful)

      by Mr. Barky ( 152560 ) on Tuesday December 27, 2022 @03:15AM (#63160688)

      A thing is uninsurable if the cost of the insurance exceeds its value. In principle, of course one could buy insurance that costs more than the value of the thing being insured, but so few people would do so that it is uninsurable. (If the insurance were 2x or 3x the value, the number of people buying would certainly be very close to 0 - if nobody buys at the cost of insuring, it means the insurance product is unviable and by any reasonable definition of uninsurable, it is.)

      • Bought a 1993 pickup last year for $1500. Insurance, which I'm legally required to have in order to drive it on public roads, is $32/mo extra on top of my existing auto insurance stuff.

        I don't have a break down on it, but most of the extra cost is health related (I have very large limits on hospitalization stuff on my car insurance - vehicles are relatively cheap/easy to fix compared to a human)

        If it were only theft/damage on the truck itself that I was covering I'd be a fool to pay it, I'll have spent mor

    • Re:not uninsurable (Score:5, Insightful)

      by Opportunist ( 166417 ) on Tuesday December 27, 2022 @03:42AM (#63160712)

      A risk is uninsurable, or considered uninsurable, if the cost to insure exceeds the value protected. Also, in this particular case, the risk being uninsurable stems from the repeat damage. We're not talking about some expensive vase that is worthless when it was broken once. We're talking about something that can be broken again and again and again, every single time with associated damages.

      • by mjwx ( 966435 )

        A risk is uninsurable, or considered uninsurable, if the cost to insure exceeds the value protected. Also, in this particular case, the risk being uninsurable stems from the repeat damage. We're not talking about some expensive vase that is worthless when it was broken once. We're talking about something that can be broken again and again and again, every single time with associated damages.

        The thing about insurance is that it distributes risks amongst all involved parties, so that everyone pays for the few that screw up (wait, Uncle Mikey, isn't that communism? Yes little Jimmy, yes it is but we don't call it that). When the cost of paying for the few who screw up becomes greater than the total everyone is willing to pay insurance companies have a problem.

        • The thing about insurance is that it distributes risks amongst all involved parties, so that everyone pays for the few that screw up (wait, Uncle Mikey, isn't that communism? Yes little Jimmy, yes it is but we don't call it that).

          Correct; insurance is a capitalist implementation of socialist principles.

      • A risk is uninsurable, or considered uninsurable, if the cost to insure exceeds the value protected.

        Yes, and this varies greatly. If you provide a good or service that is not critical - greeting cards, cat videos, word games, etc. then all the cost of an intrusion is basically your own cost of remediation. If you are, say, a water utility, a healthcare provider, or a commercial datacenter operator, then you may be exposed to massive liability from loss of your service to your clients as well as just yourself. If people die becasue the hospital was hacked, damages could be far greater than simply the co

  • by John.Banister ( 1291556 ) * on Tuesday December 27, 2022 @02:04AM (#63160624) Homepage
    Usually what insurance does when systems have risk is to insure the ones that have been designed to mitigate the risk, and rather than trust people's claim that they did so, they require inspections from independent entities that they trust. Tall buildings with bad structural engineering don't get insured. Tall buildings that have passed a building code inspection get insured. Learning whether a security system is insurable looks like a job for penetration testers.
    • by Ed Avis ( 5917 )
      Penetration testing is fine, but like most testing it can only prove the presence of bugs, not their absence. If you are defending against highly skilled attackers (and let's assume for the moment that Russia or North Korea or China or whoever has such people, and might want to target your oil pipeline or reactor or whatever) then your penetration testers need to be equally skilled. That doesn't come cheap. You can't rely on some box-ticking exercise where a moderately intelligent monkey connects to your
      • Sure, not cheap. But, if you need that insurance, what costs less? You have to show you're doing something effective to prevent this problem.
    • by kaur ( 1948056 ) on Tuesday December 27, 2022 @02:46AM (#63160672)

      Insurance insures companies and their business, not "systems".

      I have had cyber-insurance for the companies that I work for. There is an assessment on both the business and the security of the organization before you even get to an insurance broker (Marsh McLennan in our case). Are you processing credit cards? If yes, do you have PCI DSS certification? Do you work with EU citizen data? If yes, do you comply with GDPR? And so on. Do you have risk management? Security team, budget, policy, and roadmap? And so on.

      Then - what do you want to cover? Do you "protect" yourself from cyberattacks? You own mistakes? Supply chain attacks? Service outges? Employee misdemeanor? Direct costs of handling an incident (eg buying professional services to clean up your network)? Damages to third parties? This is all intervowen with other insurance types (executives & officers insurance and whatnot). If your head of marketing runs off with your client database, is this "cyber"?

      The area is rather complicated. 90% of this is legal, 10% security. I also claim that most people in the area do not understand what it is. The legal people have no idea about security, the security and risk management people do not understand legal, and the two sides rarely meet.

      • by La Gris ( 531858 )

        I wish I could mod you up insightful on this.

      • by aaarrrgggh ( 9205 ) on Tuesday December 27, 2022 @11:14AM (#63161362)

        Our policy gives a two page set of questions, none of which really reflect today's risk of payout for the company. They do not ask if any users have easily guessed, written on a post-it, or re-used passwords. They do not ask if you use security tokens for login or remote access. They don't ask if you have a smart cloud infrastructure. The insurance companies don't have good ways to make the assessments.

        One of our clients (a HMO) gave us an exponentially more complex risk assessment. The response conveyed back to their CEO is that compliance with this assessment would require us to double our fees; it was literally a seven-filigre task to do the things they were asking for. Much of it was good ideas, but trying to set up a SCIF store for their (non-patient, non-IT) data and create and document processes for all the once-every-three-plus-years tasks was not in line with the services we provide.

        Proper security is just an impossible ask for a company with more than 3 people and less than 2,000. The talent pool does not exist. It might also be impossible when you get over 5,000 people. Too much becomes chance.

      • by gweihir ( 88907 )

        Indeed. There is an additional problem though: It is getting more than 10% security. Not because the legal aspects shrink, but because the risk of getting hit really bad on the IT security side is now pretty high and the IT security side must critically go beyond checklists and into actual understanding.

    • Tall buildings that have passed a building code inspection get insured.

      Your example demonstrates the pointlessness of your mitigation claims. Tall buildings pass building codes. Period. The fact that there are legally binding codes that underpin its very existence automatically makes all tall buildings insurable.

      Yeah that's one specific example, but I'm latching on to it since it underpins how insurance is made. You have a tall building. As far as the insurance company is concerned that's that. Now the insurance company will determine value of the insurance depending on the va

      • architectures have state licenses and the power to tell the boss to fuck off on doing something unsafe.

        • by gweihir ( 88907 )

          Exactly. And in the IT field, the typical coder or even engineer often does not even understand what would be unsafe. And there are lots of exceptionally unsafe mainstream practices, like the insane mess with massive numbers of more-or-less arbitrary external dependencies in web-applications. People are _taught_ to do it that way and anybody with some real engineering expertise can see this will never be safe or secure and cannot be fixed.

          • Do software engineers even exist? The title gets tossed around as interchangable with "software developer", and is meaningless from a PE perspective. NCEES discontinued their Software Engineering exam in 2019. Almostnobody took the exam [ncees.org]
            .

            And as you've already observed, web applications are a sloppy mess of random garbage thrown together with duct tape, thoughts, and prayers.

            And then there is "Agile"...

      • And, if you file an expensive claim, the first thing that they will do is attack that declaration. If you say there's no asbestos, and then file a claim because you're getting sued over asbestos exposure, the insurance will say "we won't pay, because you lied to us when you bought the insurance." If you're buying insurance where you need to assert that your employees behave securely, and you don't have any documentation of that, then after the security breach, they can say "you lied" using the breach itse
      • by gweihir ( 88907 )

        Indeed. When insuring IT security, insurances are basically asked to insure arbitrarily build houses or cards. That only works when there is quite low risk of an actual attack. And that time is over.

        In the end, we will have to lift the IT and IT security field to proper engineering standards. Like all other engineering disciplines have achieved, but the IT workers refuse to do.

        • I doubt the IT workers refuse to raise the standards. It's more likely the employers of IT workers refuse to pay for that level of discipline.
          • by gweihir ( 88907 )

            It is both. Just look at the uproar that starts here when it is suggested coders should bear some responsibility and liability for the stuff they produce. Some will say "Yes, if I get the time and money for it" and these are the good ones, i.e. the ones that could or do work on real engineering level, not bloody amateur hack level. But the majority will just scream bloody murder and an unqualified "do not want".

            At the same time, no actual engineer would find it strange to be held liable for shoddy practices

    • Hard to assess risk when it changes dynamically as bugs are patched and discovered, staffing changes, and threats evolve.

    • by gweihir ( 88907 )

      They do not have enough experts for that. In theory, they could make the customer pay for inspection beforehand before they decide to accept the risk or not. But the market does not (yet) allow that, so they have to have in-house experts to keep cost down. Also and they simply cannot get enough qualified ones (internal or external ones) that not only really (!) understand IT security, but also really understand how risk management and compliance works.

  • Does that mean that companies that deal with lots of information going to need to hire people to put that information in and out of air-gapped storage systems? At what point does it become cheaper to just have people doing paperwork and answering the phone instead of securing an online system?

    • by Todd Knarr ( 15451 ) on Tuesday December 27, 2022 @04:01AM (#63160752) Homepage

      That or revert to older network architectures. Construct the internal company network so it isn't connected to the Internet directly. Use bastion hosts in a DMZ for external connectivity, and then use VPNs to connect the DMZ to organizations you need to transfer data with. Do not permit any non-company devices to connect to the internal network. If access to the Internet is important for employees, have a separate public network for that and allow personal devices there but do not allow any interconnection with the internal network. If internal systems are cloud-hosted, use vnets and VPNs to isolate them from the Internet and connect them to the internal network. It takes some work, but it was a solved problem 20-30 years ago. It completely boggles me that we ever bought into the idea that we should allow devices and networks that were directly connected to the Internet to also directly connect to internal corporate systems.

      • by HiThere ( 15173 ) <charleshixsn@@@earthlink...net> on Tuesday December 27, 2022 @08:55AM (#63161010)

        That's not a complete solution, but it's a major step in the proper direction. The problem is that having rules doesn't keep someone from breaking them. And wireless devices may create a problem. And even keyboards are usually wireless these days.
        OTOH, it should USUALLY work.

        • Corporate network usually means managed switches. Company devices have signed certificates to authenticate via 802.1X. Personal devices don't. Set up the networking infrastructure so that any device that can't authenticate causes the port it's on to be disabled until it's unplugged. It's a rote setup. 802.1X works over wireless, so that solves that problem too (although I'd suggest not using wireless at all for the corporate network except for connecting peripherals to PCs).

    • by jmccue ( 834797 )

      Does that mean that companies that deal with lots of information going to need to hire people to put that information in and out of air-gapped storage systems?

      For some industries this should be mandatory. For example, the pipeline incident a year or 2 ago. There is no reason for pipeline control to be on the internet. Same for electric generation.

  • by dohzer ( 867770 )

    Cyber Attack Insurance Set To Become 'Unprofitable,' Says Zurich Chief

    • ...or insurance companies decide they won't insure companies because their executives have spent decades being irresponsible, careless, & willfully ignorant & refusing to do what's necessary to secure their IT systems.
    • by gweihir ( 88907 )

      Cyber Attack Insurance Set To Become 'Unprofitable,' Says Zurich Chief

      Yes, so? Insurances are for-profit. They do not do unprofitable products. If they do, they eventually go bankrupt.

  • by jarle.aase ( 1440081 ) <jarle@jgaa.com> on Tuesday December 27, 2022 @02:59AM (#63160678)

    The sole value or contemporary corporate culture is greed. In order to do business, corporations have to pretend to take "security" serious, for example by getting a SOC2 certificate. Having this document, the C level people can focus on greed (fucking employees, customers and "partners") and when they are hacked, they pick the standard "talking points" from the latest McKinsey& CO "Greed Is Good 101 Handbook" and lie about how much they value their customers privacy.

    I believe the only way to fix the problem is to change the incentives, both for the corporations and for the crooks. The insurance companies are just greedy corporations who aim to maximize their own profits. Changing the coverage will not fix the problem.

    The problem is greed. The corporations skip corners to maximize profits (and insane bonuses for the CEO's court), and the crooks (more and more of them) do hacking because it's profitable. In order to fix the problem, I think it must be illegal to for example pay ransoms to crooks. If that's illegal in a meaningful way, then the incentive for the crooks will vanish. If C level people are routinely criminally prosecuted after a breach, and the investigation look at the actual security measures and security competence in the organization, clown-show performances like SCO2 will loose their value. Corporations will need to hire competent security people and implement real security measures and/or limit their exposure by not harvesting non-essential sensitive data. As long as it's legal to pay extortion fees to crooks, and perceived security is cheaper than actual security, the problem will not get better.

    • Our Data:an appeal - a "Plimsoll line" for apps [blogspot.com]

      In a recent speech "Fixing Network Security by Hacking the Business Climate", also now on Technetcast, Bruce Schneier claimed that for change to occur the software industry must become libel for damages from "unsecure" software. However, historically this has not always been the case, since most businesses can insure against damages and pass the cost along to the consumer.

      The Ford Pinto and more recently the Ford Explorer's tires are two examples of public and

    • by Bruce66423 ( 1678196 ) on Tuesday December 27, 2022 @06:03AM (#63160836)

      If I can end up getting a prison term because some nerd in systems admin gets seduced by a cutie, then I'm not going to accept the job and no rational, competent person will accept the job. This is the same issue with those who want to charge those in charge of safety at an organisation when something goes wrong.

      The real answer is to accept that some things can and should be managed, and some things are unavoidable. This is the origin of the concepts of 'reasonable error', 'negligence' and 'gross negligence'. The problem lies in the fact that when something goes wrong due to 'reasonable error', the pressure to find a scapegoat can be overwhelming, and establishing it was 'reasonable error' may be hard to establish; instead the professional gets railroaded by public opinion because the law allows for the possibility...

      • by gweihir ( 88907 )

        If I can end up getting a prison term because some nerd in systems admin gets seduced by a cutie

        1. Many nerds are a lot less gullible than public opinion has it.
        2. If you did not make sure critical stuf has a 4-eye principle in place, then you deserve that prison term.

        • That's a good answer, and probably an example of something whose absence should attract prison terms. I just suspect that it's nothing like sufficient and the massive range of threats means it's unreasonable to expect perfection, especially in smaller firms. We can probably enforce that sort of standard in the private sector, but in cash strapped public sector organisations it's going to be harder. Getting politicians to agree to properly paid IT staff rather than employ more teachers / police officers etc

      • If I can end up getting a prison term because some nerd in systems admin gets seduced by a cutie, then I'm not going to accept the job and no rational, competent person will accept the job. .

        If you are the CEO of a corporation that handles sensitive data, and that data is stolen from you, then a criminal probe to you and the corporation should be expected and warranted. If you have taken good measures to prevent the theft, then you should be fine, and the corporation should be fine. If you hired a good-talking but clueless friend as CSO, - then there may be a question about criminal neglect. If you de-funded the entire security team in order to boost the quarterly profits, and hence your own bo

        • Hmmm... The problem is, and will be for the forseeable future: 'What is enough spending on security?' There's always a trade off, and we are in danger of giving the IT security section a blank cheque.

          I like your approach in general though.

  • Simple remedy (Score:4, Interesting)

    by Freischutz ( 4776131 ) on Tuesday December 27, 2022 @03:02AM (#63160682)
    Just apply the same solution that the EU is planning to introduce for CO2 polluters and slap an import tarriff on countries that is directly proportionate to the amount of world wide attacks they generate.

    Just for reference purposes, the top ten originators of the world's cyber attacks are **roll on snare drum**:

    1. China - 41 %
    2. USA - 10 %
    3. Turkey - 4.7 %
    4. Russia - 4.3 %
    5. Taiwan = 3.7 %
    6. Brazil = 3.3 %
    7. Romania = 2.8 %
    8. India 2.3 = %
    9. Italy 1.6 = %
    10. Hungary = 1.4 %
    • Re:Simple remedy (Score:4, Interesting)

      by Opportunist ( 166417 ) on Tuesday December 27, 2022 @03:48AM (#63160720)

      It's even easier than that: Do what a lot of EU countries did and make C-Levels personally liable for gross negligence when it comes to security. If your company screws up and you can't show that you did what's necessary to secure the crap, your old Ferrari will have to do for another year because this year the money you earmarked for a new one goes to paying that fine.

      Since we had that, security budgets went up by magnitudes. Because C-Levels prefer to cough up company dough than their private stash.

      • It's even easier than that: Do what a lot of EU countries did and make C-Levels personally liable for gross negligence when it comes to security. If your company screws up and you can't show that you did what's necessary to secure the crap, your old Ferrari will have to do for another year because this year the money you earmarked for a new one goes to paying that fine.

        Since we had that, security budgets went up by magnitudes. Because C-Levels prefer to cough up company dough than their private stash.

        That too but visiting consequences on people for negligence and apathy only works in your jurisdiction. Tariffs, preferably targeted tariffs, would be an easy way to crate large lobbies in cyber crime nests like China who'd be willing to exert pressure on government to clamp down on this kind of behaviour with all the weight the state's HUMINT/ELINT assets and law enforcement apparatus because these cyber criminals would now be getting in the way of them doing legitimate business.

    • by DrXym ( 126579 )
      Not saying you're wrong but you probably want to weight that % by population.
      • Not saying you're wrong but you probably want to weight that % by population.

        I have no problems with considering that option.

  • by DrXym ( 126579 )
    If companies can't insure themselves, it might motivate them to pull their fingers out of their arses and secure their networks, implement recovery plans.
  • and, even worse, orgs that are known to have insurance tend to attract attackers.
    For these two reasons, there is no place for insurance in cybersecurity.
    BTW, paying ransom should be outlawed - it would help, IMO
       

  • The same companies that can demand their applicants possess a college degree also refuse to demand their employees use a secure operating system.

    While a certain company has gotten better in recent years with respect to reliability and security, they still operate with a consumer-devices mindset, because their flagship product is used to sell PC's, not to provide security in computing. Their EULA specifically disclaims liability for security bugs. Why Corporate America believes they should be using a pr

  • I worked at an MSP (Managed Service provider) for dozens of clients, and love it when they bring their cyber insurance forms to us. The requirements are laughable, the questions are a joke (written by someone who has zero security or IT background). And although the clients refuse even the most basic of security recommendations- i.e. encrypting data, MFA, SPAM filtering, anti virus/EDR, network segmentation, UPDATES to modern OS/software, etc... THEY STILL QUALIFY FOR CYBER INSURANCE! Even after losing

An adequate bootstrap is a contradiction in terms.

Working...