Every time I’ve looked into “cyber incident” insurance it just didn’t make any sense financially. They’ll cover things like required customer credit monitoring and the cost to mail notification letters but neither of those costs are worthy of insuring against. In the grand scheme of things they’re negligible.
At the same time it’s almost impossible to put a dollar value on the real cost of a cyber security incident: bad PR, lost and unhappy customers, increased regulatory oversight, a board that’s (understandably) skeptical of your ability to prevent future incidents. And no matter how big of a check you could get an insurance company to write the data still walked out the door. All the money in the world can’t unring that bell.
How would you even begin to model the risk here though? There's no straightfoward financial loss to Solarwinds here except their reputation likely being forever ruined. Do you ensure the value of the entire company?
When your client is the USG and foreign hackers exfiltrate secrets through your platform, I don't the DoD cares that you had insurance.
This is an idea that should be explored more fully. The downside is that it will make information technology a much less freewheeling and innovative field.
It's a massive innovation killer downside. How about we restrict this to "all internet companies selling security software to governments", at the very widest?
Construction companies seem to do fine even though building codes exist.
It's not uncommon for a mature industry to face a reckoning around damaging practices that were common when they were nascent industries.
Would you like to live below a dam that was built under a loose and permissive regulatory regime? How about storing sensitive personal data in a datacenter whose owner specifically disclaims liability for it's exposure?
>Construction companies seem to do fine even though building codes exist.
They're not the one's paying for it. The people wanting the building built are. And there's a lot of corruption in that. On top of that, there's a pretty clear housing crisis in big cities.
Presumably it could work the way auto insurance works, where you'd be required to carry insurance but you'd have your pick of who supplies it. (Unless I misunderstood and you're opposed to requiring insurance for anything.)
The issue here is that insurance doesn't actually solve the problem. Auto insurance doesn't get people to drive better, because a car accident can kill you, which means that all the people driving like idiots are doing it because they already don't think they're going to get into a collision. And you'll notice that they all still drive like idiots even with insurance, possibly more so because of the moral hazard.
All auto insurance really does is make it so that when some idiot with no money hits you with their car, there will be somebody to pay for the damages.
The problem with doing this for computer security is that if you don't put the liability on the company then there is nothing for the insurance to cover, but if you did then it would bankrupt the insurance company.
Imagine one of the vendor's clients is a pharmaceutical company and the attackers get access to their pre-publication research files. That could be ten billion dollars in damages. For one client. Imagine five of the clients are pharmaceutical companies. The other clients could be financial institutions, cloud providers (who would in turn have their own affected clients), movie studios (and now all of the next year's movies are on The Pirate Bay prior to release), etc. All at the same time, for a single security incident.
And how do you put a price on the sort of national security threat it poses when foreign governments gain access to US government systems? Who do you even compensate for that?
This isn't the sort of problem insurance can fix.
Maybe what we need is something like publicly-funded security audits of popular software.
