Ariel E. Levite and Wyatt Hoffman have been surveying the state of relations between the insurance industry and software they are asked to insure. Here is a summary, published on Lawfare:
For many businesses, cyber risk was once either an amorphous threat or an occasional nuisance. But with reliance on all things digital skyrocketing, cyber threats now pose grave, even existential, dangers to corporations as well as the entire digital economy. In response, companies have begun to develop a cyber insurance market, offering corporations a mechanism to manage their exposure to these risks. Yet the prospects for this market now seem uncertain in light of a major court battle. Mondelez International is reportedly suing Zurich Insurance in Illinois state court for refusing to pay its $100 million claim for damages caused by the 2017 NotPetya attack.
They make explicit the risks insurers face:
Many hurdles stand in the way of insurance providing a more robust solution. Data on cyber risks are scarce, and the threat is evolving constantly, often rendering data obsolete before they can be used. That means actuaries lack a credible repository of information to accurately price cyber risk. Moreover, NotPetya and other attacks with cascading effects have reinforced fears of aggregation risk, meaning the potential for a single incident to cause simultaneous losses across multiple policyholders. If Zurich had underwritten even a handful of the major corporations disrupted by the attack, it could have faced catastrophic losses from just one incident. This is a particularly acute concern for reinsurers—companies that provide stop-loss coverage, or protection against unsustainably costly claims, to other insurers—making both reinsurers and primary cyber insurance providers naturally hesitant to support more extensive cyber underwriting. The lack of adequate reinsurance backing means that carriers may become overwhelmed with claims if a systemic cyber incident causes simultaneous losses across many policyholders.
And they have some recommendations, which appear to have one glaring hole:
In a recent Carnegie Endowment paper, we proposed a series of practical measures for insurers, corporations and governments to take—some separately, others together—to unlock the potential benefits of cyber insurance. These steps include upgrading the underwriting process, collaborating with cybersecurity services, and introducing specialized underwriting methodologies to better assess and price cyber risk. Governments, for their part, could help by developing common metrics for cyber-risk management, by encouraging companies to share information on cyber risks and security practices, and by standardizing corporate reporting requirements for cyber risk and data breaches. Sovereign wealth funds, holding companies and other major investors can also encourage responsible conduct by making regular, thorough cyber-risk assessments part of their due diligence.
Not all “cyber” risks are the result of poor programming, but most such risks can be traced back to such. Yet, I don’t really see any attempts in the above to get the software suppliers to share in the risk. It’d take just one major supplier going bankrupt after losing a lawsuit over the security of their software, such as PegaSystems, to finally bring questions of software security to the foreground. Make the people who make real money off of software sweat. They’re not sweating right now.
For example, I recently was required to use a web site by my employer and decided to read the Terms of Use. It had two admirable characteristics: it was succinct and devoid of legalese. After that?
It contained a phrase that took me back. Way back. And now I cannot access their terms of use. Hah! However, this one comes close:
EXCEPT AS OTHERWISE EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER PARTY HERETO MAKES ANY REPRESENTATION AND EXTENDS NO WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY ARISING OUT OF PRIOR COURSE OF DEALING AND USAGE OF TRADE.
Bold mine.
I recall seeing bullshit like this 30 years ago, but I’m shocked that it’s still around. No fitness for a particular purpose? I recognize they’re distinguishing intended use from warranted use, but come on – this is ridiculous.
And who the hell buys such software? Would you want to roll the dice on your toaster not exploding?
Have these guys heard of the related legal phrase, irremediable harm? Because that’s what we’re coming to. I used to work for a supplier of software for energy systems, and I have no idea if they used this phrase in their license agreement – but imagine, as is rumored, that some foreign party penetrates such a system and achieves a position where they could knock down the American electrical grid. And then does it.
We’ll get the grid back up, but in the meantime many businesses will be badly harmed – and some will go out of business. Not those businesses’ fault. Who is responsible?
Now, maybe it’s still accepted practice that software gets a free pass on this sort of thing. But this enablement, if you will, of poor software practices will defeat all the good intentions of the insurance industry. Right now they’re treating symptoms, so far as I can see in Levite and Hoffman’s summary (I trust their summary is complete, so I shan’t spend time I don’t have on reading the paper), not the source of the problem. Free marketeers might argue that the market sorts these things out by customer evaluation, but this is the argument of the zealot. The truth of the matter is that the entire facet is occult[1], as we’re not measuring functionality or performance or scalability, but the insecurity of the product. We barely even have measuring sticks, much less know how to apply them in a forward thinking manner.
An agency to do this sort of thing has been suggested before. I still think it’s a good idea.
Just stick “S” for Software in the middle. Although it would also stand for “Shitload of Work.”
1 “to block or shut off (an object) from view; hide.” If you prefer, occlude. Not the religious bullshit definition.
