I recently (OK, apparently nearly two months ago!) had an interview with Darren Pauli of Computerworld on Cyber-insurance – insurance against ‘cyber attack’ such as denial-of-service attacks and and data loss. The article can be found here: http://www.computerworld.com.au/index.php/id;261018472;relcomp;1. and the pdf version can be found here.
My basic thesis that I tried to communicate to Darren – although I don’t know that I was all that successful – is that your window of opportunity for evil-doers is larger because virus-writers and ‘cyber-terrorists’ become aware, these days, of a vulnerability almost as soon (if not sooner) than the software vendor themselves. They therefore have more time to write software to attack the system before it is patched. This issue is compounded by issues of patch-issuers sticking to a ‘once-a-month’ patch regime that gives a window of a month for a vulnerability before it is patched (so if you launch your attack immediately after the patch was last released, you have better opportunity for success – er, business failure).
The problem with cyber insurance I think would be that the incentives are all wrong- if I buy insurance for my data, my incentive is to be a little more lax about my data protection (I’m the only one who can really impact it and make it work), and the insurer doesn’t want to take on this risk – so therefore they want their clients to implement security standards and approaches (and audit this) so that the insurer knows that a certain minimum standard is being met.
And, that’s difficult (and expensive) to do – just ask anyone in the US about Sarbanes-Oxley compliance for their information systems.