back to article Swiss Re wants government bail out as cybercrime insurance costs spike

As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap. Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study …

  1. VoiceOfTruth

    It's capitalism

    Privatise the profitable bits, socialise all the losses. There shall at no time be any risk to the private sector. It's a rule

    1. Anonymous Coward
      Anonymous Coward

      Re: It's capitalism

      Yep. The days of insurers covering a risk in order to, on average, secure a return are long gone. Everyone just wants a guaranteed return.

      1. VoiceOfTruth

        Re: It's capitalism

        That is basically my point.

        Insurers know (or should know) what they are insuring. If the risks are high (perhaps because a company does not keep its systems secure) then the premiums should be high. They have an option, which is not to insure that part of the business at all. Instead they seem to be wanting to take the money but pass on the bill for the clean up to the taxpayer. Guaranteed profits not risk.

        1. jmch Silver badge

          Re: It's capitalism

          I'm not sure that's what Swiss Re are saying at all. It seems to me that they are saying that companies globally are vastly underinsured, and should buy more insurance.

          In other words, company selling a product says everyone else needs to buy more of their product.

          Having a government fund to help cleanups would be of benefit to companies not buying cyber insurance, and it's existence would act as a disincentive to buy insurance. Government regulators should simply make sure that no one regulated entity is too big to fail, and allow the ones that fail to fold. Its how markets should work

  2. Ace2 Silver badge

    Or we could just get rid of bitcoin…

    1. doublelayer Silver badge

      Yes, if only we knew that doing that would prevent any kind of cyber incident back in 2009, we could have stopped it in its tracks. After all, there was no computer-based crime in 2008. Criminals also have no way of exchanging money except for cryptocurrency, so that's another ill of society that didn't exist back in 2008. I'm glad you're here to tell us the easy answers.

      Cyber insurance covers (or claims to cover) a lot of things. Eliminating cryptocurrency wouldn't even stamp out ransomware, but if it did, there would still be problems.

      1. Ace2 Silver badge

        This is the same “we shouldn’t ban assault rifles because people still commit crimes with handguns!” argument.

        The fact that these reported losses seem to be skyrocketing might indicate that, actually, things have changed a bit in the last 10-15 years. I wonder what the difference could be?

        1. doublelayer Silver badge

          Not exactly, though there are parallels. As the comment was written, it was a "we should ban assault rifles and there will be no more violence" argument. That is false, and using a lie to make an otherwise functional point harms an argument very badly.

          I'm not going to argue a position on guns, as it's not relevant to this conversation, but the point with guns is that there are uses for them other than committing murder, and one has to balance those uses against the benefits from banning them. That can result in "no guns at all", "all guns at all times", or somewhere in between with specific types allowed and others not. The same applies to cryptocurrencies or anything else you name, since every item will create harm to somebody in some way. The general point is not viable (we could prevent the need for cyber insurance much more effectively by banning computer networks, but if I argued that we should, you'd reject it as the unworkable plan it is).

          The argument was based on a fallacious statement, suggested a plan that is not viable, and did not attempt to address the ramifications the plan would have if implemented. I contend that it is simplistic to the point of incorrectness.

          1. Ace2 Silver badge

            Nah, bro. You chose to misinterpret my statement so that you could argue against it.

            The article is about reinsurers begging for bailouts to deal with the explosion of cybercrime losses. Cybercrime losses are exploding because of the ease of transmitting ransom payments across borders. The #1 facility for doing that is bitcoin.

            Whatever else needs to be done, by *first* banning bitcoin we would shrink the problem back down to a manageable size.

            Or I guess you could get ready to pay an extra $100 every time you get a dental cleaning or get your car looked at. You know, as a cybersecurity surcharge.

            1. Dave314159ggggdffsdds Silver badge

              "The article is about reinsurers begging for bailouts to deal with the explosion of cybercrime losses"

              No, that is just the reg's absurd alt-right spin on it. What is actually happening is that the biggest reinsurance fund in the world is saying this stuff is not currently insured, and should be, but probably needs govt subsidy for the premiums to be affordable given the liquidity issues.

            2. doublelayer Silver badge

              "Cybercrime losses are exploding because of the ease of transmitting ransom payments across borders."

              This is your problem. You see cyber insurance as paying ransoms, which sometimes happens, but that's not what it's mainly for and that's not what causes most losses. That insurance pays for a lot of things other than ransom payments, and some policies have been sane enough to prohibit paying those at all. They pay for recovery from damage. They pay for investigation of an incident. They pay for losses like having to pay for credit protection or liability for people whose data was stolen (theoretically). These things will not be stopped or shrunk meaningfully by stopping ransomware, and banning Bitcoin also won't prevent the most damaging ransomware either. You are looking only at one aspect of the problem and come to inaccurate conclusions on your limited understanding.

  3. Michael Hoffmann Silver badge
    Unhappy

    Why?

    It isn't the governments that are slashing security spending left, right and centre (governments likely never have budget anyway). It isn't the governments playing security kabuki (especially not if they're nation state actors).

    Can I make a counter-offer: only insure (or re-insure the insurers) if you've verified that their security isn't just lip service. Also, introduce personal liability for the executive and the board.

    You can all stop bitterly laughing now.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why?

      Absolutely this. You don't insure a driver without them having a valid license (albeit it's not always a great guide to competence), so why would you insure a company against an electronic break-in without first checking they at least have doors on the property?

  4. Claptrap314 Silver badge

    It's not the insurance industry

    that needs to mature in this case.

    Except for that bit about whining when a bet turns sour.

    1. doublelayer Silver badge

      Re: It's not the insurance industry

      I disagree. They definitely need to mature. Insurance has to calculate risk. That means that, for example, many insurance companies won't insure a property that's been smashed by the same natural disaster several times, is at high risk for another one, and has no precautions taken for when that happens. They've calculated that they're likely to have to pay for a very expensive repair and that nobody will pay a premium that would pay for a new house every three years. This doesn't please the owners of that property, but the insurance companies can decide whether they're willing to take the risk. They need to apply similar logic to whom they'll insure for cyber risk and what they'll do for them.

      The most famous occasions have been ransomware, so I'll use that as an example. If the insurance company plans to insure a place for ransomware damage, they should probably check whether there are backups isolated from potential attacks, what restoration would look like, and the likelihood of damage that the backups won't handle. That makes a major difference to how much recovery is going to cost. They also have to look at the attack surface and internal security standards to at least estimate the risk of a successful attack getting started and spreading. Maybe they can also consider that paying a ransom is a bad idea which only increases the risk and stop doing it. This is how you do insurance-companying, and if cyberinsurance can't do the calculations that most other companies have, they deserve nothing from the rest of us when their acceptance of stupid risks lands them in bankruptcy.

  5. Anonymous Coward
    Anonymous Coward

    Bill Microsoft

    It's their shite at the core of the problem.

    1. fg_swe Silver badge

      Plus: AT&T Bell Labs

      These folks "presented" the world with the C language and the Unix OS written in C.

      C and C++ based exploits are causing 70% of CVE exploits.

      New projects should be realized in memory safe languages

      http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf

      +MODULA-2

      +SPARK ADA

      +OBERON

      +RUST

      +SAPPEUR

      +SWIFT

      +JAVA

      +C#

      Proven correct compilers and Operating Systems should be used

      +seL4

      +INRIA CompCert

      https://www.microsoft.com/en-us/research/project/singularity/

      1. Michael Strorm Silver badge

        Sheesh...!

        Are you *seriously* trying to hold Bell Labs (and Dennis Ritchie) responsible for an alleged lack of foresight in not including present-day language features levels of safety in C? In a computer language that's literally fifty years old and was designed to run on early-1970s minicomputers?!

        Do you have *any* idea how long ago that was or how primitive things were back then? This was five years before the first mass-market personal computers were even available, and a full decade before the ZX Spectrum was out. Even the PDP-11 minicomputer that would have cost the equivalent of well over $50,000 in today's money would have been dwarfed in terms of spec by a 1990s PC. (To put it in perspective, Wikipedia claims that, with the original version of the PDP-11, they were debating whether or not to make the minimum configuration 2 or 4 kilobytes).

        C was indeed very close to the hardware and- in one sense- one step up from assembly language. (And, in fact, it literally replaced the assembly language that early versions of Unix were written in.) But on the other hand, it originated a *lot* of what we take for granted today.

        Does it meet modern standards? Of course it doesn't. Are you really holding that against the creators of a language that came out in the same year as "Pong"?!

        1. fg_swe Silver badge

          Algol Mainframes

          At the same time as Unix and C were created, the Algol Mainframes were developed by ICL, Burroughs and Moscow(now MCST).

          These computers already had quite a few memory safety mechanisms.

          https://www.infoq.com/presentations/Null-References-The-Billion-Dollar-Mistake-Tony-Hoare/

          https://stackoverflow.com/questions/1463321/was-algol-ever-used-for-mainstream-programming

          https://en.wikipedia.org/wiki/ICL_VME

    2. Michael Strorm Silver badge

      Re: Bill Microsoft

      Bill Microsoft? Wasn't he Tim Apple's nemesis back in the day?

  6. Old Man Ted

    Why it Insurance?

    If the bookmakers won't take your bet it means that they will loose. So why not get a better operating or a safer storage system than rely on a pies in the sky cloud?

    1. fg_swe Silver badge

      Re: Why it Insurance?

      Indeed, Google is one of the leaders

      https://opensource.googleblog.com/2022/10/announcing-kataos-and-sparrow.html

      seL4+Rust !

  7. Claverhouse
    Happy

    "The market needs to mature further to ensure enough insurance protection is available," John Coletti, head cyber reinsurance at Swiss Re, told The Register. "Our industry has a key role to play by addressing three issues: improving data and modeling, increasing contract consistency and clarity and identifying new sources of capital."

    I read that as yodelling.

  8. s. pam
    FAIL

    isn't this a case of

    a drug dealer telling their customers they need to buy more drugs to get over the drugs they've already bought?

    will SwissRe be returning profits to any customer or government dain bread enough to sign up? of course not!

  9. storner
    Thumb Down

    It's a scam

    Cyberinsurance doesn't work. 1) it will never cover the actual cost; 2) it gives companies an incentive to just pay up instead of fixing their rotten security; and 3) it simply tells the criminals to increase their demands because someone else is paying.

    Adding state funds to the pot just makes the whole thing worse (except for the insurance companies, obviously).

    I know from personal experience that you can get a *lot* of real security for the cost of cyberinsurance. So drop the insurance, and use the funds for something better.

    1. fg_swe Silver badge

      OR

      The insurance companies could demand security best practices and also check whether the customer implemented them.

      They could reduce premiums by 70% if your customer-facing code is done in Rust or Sappeur. They (or an agent of them) could perform code reviews, etc.

      1. Ace2 Silver badge

        Re: OR

        You want to have an *insurance agent* reviewing your code???

        1. fg_swe Silver badge

          Re: OR

          No, the "agent" of the insurance companies would be IT security companies acting on behalf of the insurer.

  10. Anonymous Coward
    Anonymous Coward

    Or maybe try...

    replacing their politically motivated CIOs and Project Managers with technology / security motivated engineers? Crazy idea, I know, but it might work.

    Anon because I might be known around these parts

  11. Anonymous Coward
    Anonymous Coward

    what it really about?

    "keep the insurance industry profitable."

    That's all, not security, not safety, not better health, living, it is only about "profitable"

    Insurance is supposed to be there for Unexpected Emergencies, not cover neglect of duties.

    1. fg_swe Silver badge

      Well

      If the insured companies actually used best practices, then insurance against unknown issues is reasonable.

      But who decides what is "best practices" ?

      Who mandates use of memory safe languages ?

      Who mandates seL4 in certain areas ?

      I guess the financial industry and central banks should come up with regulation, as the damage of 900 billions clearly threatens the entire economic system. They can always get help from other government agencies and specialist organizations such as HENSOLDT and INRIA.

  12. Michael Strorm Silver badge

    How to solve reinsurance forever!!!!!1111

    Given that Swiss Re is a reinsurance company- i.e. one that insures the insurers- couldn't they just apply the same trick again and have insurance for reinsurers, i.e. rereinsurance?

    We can solve the problem by simply applying this solution repeatedly.

    And I know you think you've spotted the problem here... but don't worry- it's reinsurers all the way down!

  13. Ian Johnston Silver badge

    Why are insurance companies selling policies on which they are making huge losses? Why not whack up the premiums or decline cover?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like