S4x20 Video: Lessons Learned from Norsk Hydro on Loss Estimation and Cyber Insurance

I gave a talk at S4X20 in January on the Norsk Hydro ransomware attack.  The full video has now been posted on YouTube:




Like all great presentations, it includes a Seinfeld reference :-)

Talk Like a Cyber Insurance Risk Analyst

In a recent class on catastrophe risk modeling, I learned the definition of terms that are common in insurance but not so well understood elsewhere:

• Peril
• Exposure
• Hazard
• Ground-up Loss
• Risk

Read on for definitions, ending with an analogy that, hopefully, ties them all together.

The Cyber Insurance Emperor Has No Clothes

(Of course, the title is hyperbole and attention-seeking. Now that you are here, I hope you'll keep reading.)

(click to enlarge)

In the Hans Christian Anderson story, The Emperor's New Clothes, the collective delusion of the Emperor's grand clothes was burst by a young child who cried out: "But he has got nothing on!"

I don't mean that cyber insurance has no value or that it is a charade.

My main point: cyber insurance has the wrong clothes for the purposes and social value to which it aspires.

This blog post sketches the argument and evidence. I will be following up separately with more detailed and rigorous analysis (via computational modeling) that, I hope, will be publishable.

tl;dr: (switching metaphors)

As a driving force for better cyber risk management, today's cyber insurance is about as effective as eating soup with a fork.

(This is a long post. For readers who want to "cut to the chase",  you can skip to the "Cyber Insurance is a Functional Misfit" section.)