Swiss Re wants government bail out as cybercrime insurance costs spike As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap. Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study …
That is basically my point.
Insurers know (or should know) what they are insuring. If the risks are high (perhaps because a company does not keep its systems secure) then the premiums should be high. They have an option, which is not to insure that part of the business at all. Instead they seem to be wanting to take the money but pass on the bill for the clean up to the taxpayer. Guaranteed profits not risk.
I'm not sure that's what Swiss Re are saying at all. It seems to me that they are saying that companies globally are vastly underinsured, and should buy more insurance.
In other words, company selling a product says everyone else needs to buy more of their product.
Having a government fund to help cleanups would be of benefit to companies not buying cyber insurance, and it's existence would act as a disincentive to buy insurance. Government regulators should simply make sure that no one regulated entity is too big to fail, and allow the ones that fail to fold. Its how markets should work
Yes, if only we knew that doing that would prevent any kind of cyber incident back in 2009, we could have stopped it in its tracks. After all, there was no computer-based crime in 2008. Criminals also have no way of exchanging money except for cryptocurrency, so that's another ill of society that didn't exist back in 2008. I'm glad you're here to tell us the easy answers.
Cyber insurance covers (or claims to cover) a lot of things. Eliminating cryptocurrency wouldn't even stamp out ransomware, but if it did, there would still be problems.
This is the same “we shouldn’t ban assault rifles because people still commit crimes with handguns!” argument.
The fact that these reported losses seem to be skyrocketing might indicate that, actually, things have changed a bit in the last 10-15 years. I wonder what the difference could be?
Not exactly, though there are parallels. As the comment was written, it was a "we should ban assault rifles and there will be no more violence" argument. That is false, and using a lie to make an otherwise functional point harms an argument very badly.
I'm not going to argue a position on guns, as it's not relevant to this conversation, but the point with guns is that there are uses for them other than committing murder, and one has to balance those uses against the benefits from banning them. That can result in "no guns at all", "all guns at all times", or somewhere in between with specific types allowed and others not. The same applies to cryptocurrencies or anything else you name, since every item will create harm to somebody in some way. The general point is not viable (we could prevent the need for cyber insurance much more effectively by banning computer networks, but if I argued that we should, you'd reject it as the unworkable plan it is).
The argument was based on a fallacious statement, suggested a plan that is not viable, and did not attempt to address the ramifications the plan would have if implemented. I contend that it is simplistic to the point of incorrectness.
Nah, bro. You chose to misinterpret my statement so that you could argue against it.
The article is about reinsurers begging for bailouts to deal with the explosion of cybercrime losses. Cybercrime losses are exploding because of the ease of transmitting ransom payments across borders. The #1 facility for doing that is bitcoin.
Whatever else needs to be done, by *first* banning bitcoin we would shrink the problem back down to a manageable size.
Or I guess you could get ready to pay an extra $100 every time you get a dental cleaning or get your car looked at. You know, as a cybersecurity surcharge.
"The article is about reinsurers begging for bailouts to deal with the explosion of cybercrime losses"
No, that is just the reg's absurd alt-right spin on it. What is actually happening is that the biggest reinsurance fund in the world is saying this stuff is not currently insured, and should be, but probably needs govt subsidy for the premiums to be affordable given the liquidity issues.
"Cybercrime losses are exploding because of the ease of transmitting ransom payments across borders."
This is your problem. You see cyber insurance as paying ransoms, which sometimes happens, but that's not what it's mainly for and that's not what causes most losses. That insurance pays for a lot of things other than ransom payments, and some policies have been sane enough to prohibit paying those at all. They pay for recovery from damage. They pay for investigation of an incident. They pay for losses like having to pay for credit protection or liability for people whose data was stolen (theoretically). These things will not be stopped or shrunk meaningfully by stopping ransomware, and banning Bitcoin also won't prevent the most damaging ransomware either. You are looking only at one aspect of the problem and come to inaccurate conclusions on your limited understanding.
It isn't the governments that are slashing security spending left, right and centre (governments likely never have budget anyway). It isn't the governments playing security kabuki (especially not if they're nation state actors).
Can I make a counter-offer: only insure (or re-insure the insurers) if you've verified that their security isn't just lip service. Also, introduce personal liability for the executive and the board.
You can all stop bitterly laughing now.
I disagree. They definitely need to mature. Insurance has to calculate risk. That means that, for example, many insurance companies won't insure a property that's been smashed by the same natural disaster several times, is at high risk for another one, and has no precautions taken for when that happens. They've calculated that they're likely to have to pay for a very expensive repair and that nobody will pay a premium that would pay for a new house every three years. This doesn't please the owners of that property, but the insurance companies can decide whether they're willing to take the risk. They need to apply similar logic to whom they'll insure for cyber risk and what they'll do for them.
The most famous occasions have been ransomware, so I'll use that as an example. If the insurance company plans to insure a place for ransomware damage, they should probably check whether there are backups isolated from potential attacks, what restoration would look like, and the likelihood of damage that the backups won't handle. That makes a major difference to how much recovery is going to cost. They also have to look at the attack surface and internal security standards to at least estimate the risk of a successful attack getting started and spreading. Maybe they can also consider that paying a ransom is a bad idea which only increases the risk and stop doing it. This is how you do insurance-companying, and if cyberinsurance can't do the calculations that most other companies have, they deserve nothing from the rest of us when their acceptance of stupid risks lands them in bankruptcy.
These folks "presented" the world with the C language and the Unix OS written in C.
C and C++ based exploits are causing 70% of CVE exploits.
New projects should be realized in memory safe languages
http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf
+MODULA-2
+SPARK ADA
+OBERON
+RUST
+SAPPEUR
+SWIFT
+JAVA
+C#
Proven correct compilers and Operating Systems should be used
+seL4
+INRIA CompCert
https://www.microsoft.com/en-us/research/project/singularity/
Are you *seriously* trying to hold Bell Labs (and Dennis Ritchie) responsible for an alleged lack of foresight in not including present-day language features levels of safety in C? In a computer language that's literally fifty years old and was designed to run on early-1970s minicomputers?!
Do you have *any* idea how long ago that was or how primitive things were back then? This was five years before the first mass-market personal computers were even available, and a full decade before the ZX Spectrum was out. Even the PDP-11 minicomputer that would have cost the equivalent of well over $50,000 in today's money would have been dwarfed in terms of spec by a 1990s PC. (To put it in perspective, Wikipedia claims that, with the original version of the PDP-11, they were debating whether or not to make the minimum configuration 2 or 4 kilobytes).
C was indeed very close to the hardware and- in one sense- one step up from assembly language. (And, in fact, it literally replaced the assembly language that early versions of Unix were written in.) But on the other hand, it originated a *lot* of what we take for granted today.
Does it meet modern standards? Of course it doesn't. Are you really holding that against the creators of a language that came out in the same year as "Pong"?!
At the same time as Unix and C were created, the Algol Mainframes were developed by ICL, Burroughs and Moscow(now MCST).
These computers already had quite a few memory safety mechanisms.
https://www.infoq.com/presentations/Null-References-The-Billion-Dollar-Mistake-Tony-Hoare/
https://stackoverflow.com/questions/1463321/was-algol-ever-used-for-mainstream-programming
https://en.wikipedia.org/wiki/ICL_VME
"The market needs to mature further to ensure enough insurance protection is available," John Coletti, head cyber reinsurance at Swiss Re, told The Register. "Our industry has a key role to play by addressing three issues: improving data and modeling, increasing contract consistency and clarity and identifying new sources of capital."
I read that as yodelling.
Cyberinsurance doesn't work. 1) it will never cover the actual cost; 2) it gives companies an incentive to just pay up instead of fixing their rotten security; and 3) it simply tells the criminals to increase their demands because someone else is paying.
Adding state funds to the pot just makes the whole thing worse (except for the insurance companies, obviously).
I know from personal experience that you can get a *lot* of real security for the cost of cyberinsurance. So drop the insurance, and use the funds for something better.
If the insured companies actually used best practices, then insurance against unknown issues is reasonable.
But who decides what is "best practices" ?
Who mandates use of memory safe languages ?
Who mandates seL4 in certain areas ?
I guess the financial industry and central banks should come up with regulation, as the damage of 900 billions clearly threatens the entire economic system. They can always get help from other government agencies and specialist organizations such as HENSOLDT and INRIA.
Given that Swiss Re is a reinsurance company- i.e. one that insures the insurers- couldn't they just apply the same trick again and have insurance for reinsurers, i.e. rereinsurance?
We can solve the problem by simply applying this solution repeatedly.
And I know you think you've spotted the problem here... but don't worry- it's reinsurers all the way down!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
