Spartak - Fotolia
The multibillion dollar cyberinsurance market is growing rapidly -- perhaps too rapidly, according to Jeremiah Grossman.
Grossman, chief of security strategy at SentinelOne Inc., believes cyberinsurance offers strong value to enterprises looking to protect themselves from the costs of security incidents. There's no question that many enterprises agree; according to a recent study by Allianz, the global market for cyberinsurance is forecast to reach $20 billion by 2025.
"In my opinion," Grossman told SearchSecurity, "companies will buy cyberinsurance and they'll buy product warranties just like you buy GEICO car insurance and you have a Toyota car manufacturer's warranty."
But Grossman also believes the market is immature and lacks standards. And perhaps most importantly, he thinks the wrong people are buying and selling cyberinsurance.
Grossman talked with SearchSecurity at Black Hat 2017 about where the cyberinsurance market is headed, how it needs to mature and the effect it will have on the infosec industry. He also talked about the prospect of software liability and further government regulations for technology. Here is part two of the conversation with Grossman. Part one of the interview can be read here.
How do you see the cyberinsurance market progressing? Is policy development getting more detailed and more complex?
Grossman: Every policy that you'll read -- and I've read probably a hundred of them now -- is different. There are no standards. It's a Wild West out there. In many cases, it looks like they took a property or fire insurance policy and substituted fire with computer, and it doesn't really map that way.
What's challenging operationally for the entire ecosystem is that the primary buyer of business insurance is the CFO and the risk department that doesn't know enough about cybersecurity. And it's being sold to them by an insurance broker who certainly doesn't know cyberinsurance.
When it's a large policy -- let's say it's over $100 million -- there will be a survey that gets funneled down to the CISO that says: 'Tell me about your IT environment,' which will not move the premium one way or the other. And that's the last time a CISO ever touches a cyberinsurance policy, predominantly. So the CISO is not part of the cyberinsurance discussion, but I think, in the future, they will.
Where it should be, and where I think things are going to head based on conversations with a lot of CISOs, I think they're going to take ownership over that insurance piece as the purchase. But that only solves the buy side.
What I think the insurers will do is start hiring security sales representatives and teach them enough insurance to sell to the CISO in that channel. Because it's either we train the current brokers in computer security or we train sales reps in security just enough to sell insurance. So which one's the better model?
You said the policy survey doesn't move the premium at all, but home insurance premiums go up or down based on a number of factors and features. Do you see that same sort of thing happening with cyberinsurance?
Grossman: I know exactly what you're saying -- adjusting the premiums based upon your security posture. Yes, I think so.
Do you think it will be dependent on specific, tangible products in place or will it be based on an overall assessment?
Grossman: No, it'll be a risk assessment. Aon Hewitt, the large insurer, recently bought Stroz Friedberg, a large consulting firm. They're going be the risk assessors. If you want a $250 million cyber policy, then they're going to send in these guys first to assess the risk and price you.
On the big policies, that's how it'll work. On anything under a hundred million, you can actually get a quote today with answering just three questions.
What are the questions?
Grossman: First, what industry you are in, because certain industries are more targeted than others. Second, how many records you're storing, because they calculate based on that on how many notifications they're going to have to do in case of a breach because that's a hard cost. And third, how much revenue you're doing, because that speaks to the attractiveness of the victim as a target. And that's it.
If you're under a hundred million, you can get a policy with those three questions, and it will cost you very little. Your premiums will be 2% of the liability limit.
That seems like a decent investment.
Grossman: It's stupid not to buy cyberinsurance.
Now, let's compare and contrast with the infosec industry: an $81 billion industry growing at 5%. Cyberinsurance premiums are $3 to $4 billion [worldwide] growing at 50% annually.
We've just been told by the market that the business doesn't want to give infosec companies any more money. They're just as likely to buy insurance as they are to prevent a data breach with yet another security control. We have a credibility crisis going on here. And I think warranties fix that.
On that note, what do you think about the discussion around software liability? Let's say there's a catastrophic vulnerability that should have been patched by a software company and it leads to a major breach or cyberattack. Do you think we'll start to see legal action against software companies in cases like that?
Grossman: I think that will happen eventually. The software security regulations and the end-user license agreements [EULA] will be null and void -- but not until somebody dies. We didn't get automotive manufacturer standards until we had car wrecks. We didn't get a Federal Aviation Administration until planes went down. It's sad, but that's what will happen here.
However, we are seeing something interesting. You have software and we have service providers; the service providers will actually take on liability in service-level agreements for their customers. Software providers will resist warranties in their EULAs kicking' and screaming. They'll have to do it eventually, but that's the way it is right now.
Following up on that, Bruce Schneier talked about regulations for the internet of things at RSA Conference earlier this year. He essentially said the same thing -- when someone dies as a result of an IoT device being inherently insecure, that will lead to government regulation, and potentially even something like a license to develop software.
Grossman: Government will smack their lips at that one. They're going to love that. And I think he's right to some regard. Whether the regulations go further or lesser, I'm not sure; we can debate the details. But he's going to be largely right.
The when is the question. It might be five years off, or it might be 10 years off. The timing is the part that's in question.
Find out how to choose the right cyberinsurance policy
Read more on building an enterprise threat intelligence team
Discover why incident response plans must be living documents