I first came across the term cyberinsurance earlier this year while attending an information session in DC. At that point, it was suggested that there needs to be a benchmark that takes into account the cyber risks that companies are facing, for it to be feasible for insurance companies to offer cyberinsurance. Using a risk based approach to combating security threats allow companies to calculate the residual risk affecting their information systems and thus allows insurance companies to compute the premium a company has to pay. This makes perfect sense as a company that faces less cyber risk should be charged a lower premium compared to one facing higher cyber risks. This is similar to health insurance in that healthy individuals are charged less than those who have pre-existing medical conditions.
The rise of cyberinsurance is unavoidable. In risk management, we seek to avoid, then mitigate, then transfer and finally accept residual risks. Avoiding risks has been a core part of information security, putting systems behind firewalls, closing unused ports, principle of least privilege. Mitigating risks came next, with IPSes, disaster recovery/business continuity plans. The cloud in some way can be considered the transference of risks, outsourcing the security and maintenance of systems to cloud companies. With the increasing concern over sensitive data, companies are looking towards privatising their cloud services and hence this is where cyberinsurance comes in.
Some days back, an article mentioned that BitPay was attempting to claim cyberinsurance over a targeted social engineering attack on its CEO. I do not know if this is indeed the first landmark cyberinsurance claim, but this is the first case I have heard of. This case involves the hacking of the CEO's personal computer through which the CEO's corporate email account was accessed. Given how widely received the Bring Your Own Device (BYOD) movement is, I wouldn't be surprised if a similar case is reported in the near future.
How then should we look at this case? If the cybercriminal had used the credentials to directly transfer the bitcoins, then there would be no dispute and the insurance company should be liable. However, the cybercriminal was probably unable to access the transfer system directly, possibly accessible only through intranet, and hence had to take his chances with a social engineering attack. Therefore, I would argue that it wasn't a technical vulnerability but a procedural flaw that led to the loss. Even without hacking the CEO's computer, he could have easily spoofed the sender's address to achieve a similar result. The entire hack could have happened offline (i.e. by planting a post-it note on the CFO's desk).Closing the feedback loop will have easily solved this problem. Hence, I am on the insurer's side for this particular case, it wasn't computer fraud, but lack of proper procedures especially with regard to high risk actions such as transferring money.