Insurance companies are coming for the infosec industry
LAS VEGAS — Insurance giants are becoming more sophisticated with their cyber insurance packages, which could soon put them in a position to dictate how cybersecurity companies operate, one cybersecurity expert said Wednesday.
“I think it’s only a matter of time before information security’s masters change,” said Jeremiah Grossman, the chief of security strategy for California-based endpoint protection firm SentinelOne, at the 2016 Black Hat security conference. “We’re not going to kowtow to PCI,” or other standards bodies, but be “dictated to by the insurance industry and that is going to change everything about what we do.”
A big reason for that shift is some companies find buying the cyber insurance a better investment than paying for security technology and services that may not prevent hacks to begin with, he said.
“Companies are equally as likely to buy insurance as they are to give it to us to prevent a hack,” he said. “That’s an indictment of our industry, they don’t want to give us any more money to prevent hacks. They would just rather insure the downside and be done with it.”
[Sign up for CyberScoop, our new newsletter focused on cybersecurity’s cutting edge.]
Companies have had cyber insurance for a while, but the policies aren’t covering the full damages from the breaches. For Target’s $250 million loss, the company’s policy paid them back around $90 million. A similar breach at Home Depot cost $43 million, yet the hardware retail company only received $15 million from its policy.
For policies to provide the right amount of coverage (and charge a worthwhile premium), insurance companies normally rely on actuarial data for fine tuning. The amount of data needed to do that doesn’t exist yet. However, Goodman said that won’t be the case for much longer.
“When the breaches happen and the incident response comes in, [insurance companies] will figure out what things you’re doing, what antivirus you’ve bought and what operating system you’ve had, how often you scan it and all sort of things,’ he said. ‘Then they will adjust the premiums based on security posture, and guess what? They are going to be mathematically correct in a way infosec could never be.”
The result? Unless a company meets certain cybersecurity requirements, it could see its premiums spike.
Security vendors can respond to this shift by offering some type of guarantee or warranty if their products fail to stop an attack, Goodman said. He said end-user license agreements have “destroyed any notion of liability.”
“We do not accept this in any other industry except software and security,” Grossman said. “Not TV, not clothes, nothing. Every thing out there comes with some kind of return policy or guarantee except infosec.”
He also voiced support for the Cyber Independent Testing Laboratory, the operation stood up Peiter and Sarah Zatko that will rate the security of software similar to the way the independent Underwriters Laboratories evaluates a range products.
Until that project becomes commonplace, Grossman looks at the cybersecurity industry as a “$75 billion garage sale” — with all sales being final.
“We can do better and deserve to do better.”