Tag Archives: data breach

Dastardly Data Breaches

Like many people, I am concerned about security and privacy online but, until now, I have been too lazy in regularly changing and varying passwords or in using tools such as two-step or two-factor verification. Then I came across this article which contained this paragraph:

How might a digital EPA function? Well, it could do some of the work that individuals do today. For example, the website of Australian security expert Troy Hunt, haveibeenpwned.com (“pwned” is how elite, or “l33t,” hackers, or “hax0rs,” spell “owned”), keeps track of nearly 5 billion hacked accounts. You give it your email, and it tells you if you’ve been found in a data breach. A federal agency could and should do that work, not just one very smart Australian—and it could do even better, because it would have a framework for legally exploring, copying, and dealing with illegally obtained information.

The haveibeenpwned website allows you to check if your email has been subjected to a data breach. As far as I can assess, the website is legit (it passed by antivirus and nothing suspicious came on a Mr Google search about the website or Troy Hunt) though I cannot verify that as a fact.

Below are the number of data breach incidents from hacking by year the incidents were made public, as publicly disclosed and monitored by Privacy Rights Clearinghouse. 2016 includes high profile incidents like Yahoo and LinkedIn. Obviously, there is likely to be many many more incidents which haven’t been found out or publicly disclosed.

click to enlarge

Oh, and by the way, it looks like two-step or two-factor verification is deeply flawed also, as per this article. Nonetheless, I am told it’s better to have it than not.

Cyber Insurance Catastrophe Scenario

The UK government and Marsh released an interesting report today on cyber risk and insurance. Most cyber insurance is written on a standalone basis or as an add-on to professional indemnity, D&O, general liability or business interruption and property covers. Policy wording and terms and conditions vary widely. One of the current uncertainties is what will happen when a major attack, or more likely a frequency of industry wide cyber attacks, occurs and how traditional insurance exclusions will hold up in the case of legal challenge. The recent 2014 ruling on the Sony Playstation’s 2011 data breach provided the insurance industry comfort that they will stand up but nothing is certain when new types of losses unforeseen by existing policy wordings meet the US legal system.

The report relieves some interesting facts on the market such as the quantum and variability of current pricing for cyber insurance, as the paragraph and graphic below show.

“There are several factors that influence the price of different insurance products. In the case of cyber insurance, the price may also be driven by uncertainty over the risk compared to more traditional covers. This seems to be the case, with much flatter pricing for cyber across firms than for other lines of insurance; the difference between third and first quartile pricing is 1.7x for cyber, 9.1x for general liability, and 2.6x for property. The combination of a higher absolute price and lower price differentiation suggests that cyber is early in its development and that underwriters are more conservative about the risk, creating a challenge to a core role of insurance – namely, that high pricing discourages take up, and flat pricing provides no incentive for firms to reduce their cyber risk and save on premiums.”

click to enlarge2014 Cyber Insurance Market Pricing

On the topic of a probable maximum loss (PML) for the insurance sector, the report uses a fairly unscientific 20% of the estimated 2014 aggregate limit of £100 billion, based upon industry expert judgment, as a guesstimate.

click to enlargeCyber Catastrophe Scenario

Given the need for insurers to diversify their product offerings in this soft specialty insurance market, future demand for cyber insurance products (the report says the cyber insurance market will grow threefold over the next 3 to 5 years) will mean that more accurate estimates for risk accumulations need to be developed.

At this stage in the product cycle for cyber insurance, most insurers can likely rely on their friendly and premium hungry reinsurer to take the aggregation risk from their cyber exposures (estimated by the report to be £20 billion). Given the capital markets risk appetite for low yields and insurance risks, it would not surprise me if some investment bank is currently busily working away on the first cyber bond!