DYNAMIC SECURITY RATING FOR CYBER INSURANCE PRODUCTS
In one or more embodiments, the technology determines one or more cyber insurance policies and/or products based on a company's real-time exposure to a cyber attack on one or more of its computing asset's. The technology performs various security analysis techniques to explore, locate, and evaluate a company's network/assets for creating risk and damage assessments that are used for dynamically determining a cyber insurance that is tailored to that company at that moment of time and, optionally, based on future projections. The technology can continuously or semi-continuously monitor the company's network for any changes and, upon detection of changes that could affect the company's exposure to a cyber attack, provides information associated with the detected changes as feedback to allow determination of new/modified cyber insurance policies/products.
This patent application claims priority to U.S. Provisional Application No. 62/066,716, filed Oct. 21, 2014. The entire content of the before-mentioned provisional patent application is incorporated by reference as part of the disclosure of this application.
TECHNICAL FIELDThe present disclosure relates generally to systems, apparatuses, and methods and computer program that are stored on non-transitory storage media (collectively referred to as the “technology”) related to determining a company's vulnerability to a cyber security-related attack (“cyber attack”) and, based on the level of vulnerability, determining tailored cyber insurance policies and/or products to insure against the cyber attack.
BACKGROUNDThis section is intended to provide a background or context to the disclosed embodiments that are recited in the claims. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, what is described in this section is not prior art to the description and claims in this application and is not admitted to be prior art by inclusion in this section.
Insurance is a form of risk management tool primarily used by individuals, businesses, and other organizations to hedge against the risk of a contingent, uncertain loss that they can't or don't want to bear alone. An insured, or policyholder, can buy an insurance policy from an insurer, or insurance carrier, for an amount of money, called the premium, for a certain amount of insurance coverage specified by an insurance policy. Traditionally, insurance policies available to cover losses from business may be classified as: (1) business personal insurance policies to cover first-party losses; (2) business interruption policies; (3) commercial general liability or umbrella liability insurance policies, to cover liability for damages to third parties; and (4) errors and omissions insurance to cover the company's officers. These traditional insurance policies were designed to cover the traditional perils of fires, floods, and other forces of nature.
In the last half a century, computers have become an integrated part of life for any individuals and organizations. As organizations become more dependent on their networked computer assets, they become more vulnerable to harm from increasing frequent and damaging attacks made possible by computers. Since traditional insurance policies are normally written before the advent of the Internet, they do not expressly cover new computer related risks. Cyber insurance is a specialty insurance product that covers losses associated with a company's information assets including computer generated, stored, and processed information. Cyber insurance may become part of the overall solution to computer network and system security, which becomes more and more important due to the increasing number of virus attacks, hacker assaults, and other IT security incidents. However, due to the ever-changing nature of cyber security and cyber vulnerabilities, traditional insurance or even cyber insurance policies and associated premiums do not adequately correspond to the level of risk that is associated with a computer asset.
SUMMARY OF CERTAIN EMBODIMENTSThe disclosed technology relates to determination one or more cyber insurance policies, products and/or ratings based on processing of real-time information related to cyber attacks on one or more of computing assets that are coupled to a computer network.
One aspect of the technology relates to a method for producing insurability ratings for a product or service. The method includes receiving, at a processor that is implemented at least in-part by electronic circuitry and coupled to a computer network, real-time data indicative of cyber attacks that are likely to diminish a value of the product or service. The method further includes using the processor to process the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks. The damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The above noted method also includes using the processor to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks. The insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
In one exemplary embodiment, the method further includes using the insurability rating to produce an insurance premium value for the product or service. In another exemplary embodiment, the real-time damage assessment is computed on an on-going basis based on changes in the real-time data with a time granularity of 1 micro second or less. In yet another exemplary embodiment, the insurability rating is produced at least in-part by processing the real-time damage assessment over a pre-determined time interval and determining a statistical value associated with a plurality of insurability rating values over the pre-determined time interval. In some embodiments, the statistical value is an average of the plurality of insurability rating values over the pre-determined time interval. In some exemplary embodiments, the statistical value is a weighted average of the plurality of insurability rating values over the pre-determined time interval, and insurability rating values that correspond to later time instances within the predetermined time interval are assigned a larger weight compared to insurability rating values that correspond to earlier time instances within the predetermined time interval. In some example embodiments, the pre-determined time interval is one of: one hour, one day, one week or one month.
According to one exemplary embodiment, the above noted method further includes determining at least one additional insurability rating based on the real-time data, where one of the insurability rating or the additional insurability rating corresponds to a short-term insurability rating, and the other of the insurability rating or the additional insurability rating corresponds to a long-term insurability rating. In some exemplary embodiments, the short-term insurability rating corresponds to a time period that is in the range of one hour to one day, and the long-term insurability rating corresponds to a time period that is greater than one day and up to one month. In still another exemplary embodiment, the real-time damage assessment is computed using a weighted average technique that assigns a first weight to the likelihood of occurrence of the one or more cyber attacks, a second weight to the likelihood of success of the one or more cyber attacks, and a third weight to the measure of severity of damage to the product of service. In yet another exemplary embodiment, each of the likelihood of occurrence of the one or more cyber attacks, the likelihood of success of the one or more cyber attacks, and the measure of severity of damage to the product of service is determined using historical information associated with previously launched cyber attacks against the products or the service. For example, the historical information can include one or more of: a number of previous cyber attacks against the product or service, a rate of success of previous cyber attacks against the product or service, an amount of damage to the service or product caused by a previous cyber attack, or a frequency of occurrence of cyber attacks against other entities that offer products or services that are similar to the product and service.
In one exemplary embodiment, the likelihood of occurrence of the one or more cyber attacks is produced by analyzing data associated with patterns of cyber activity over a plurality of data networks in real-time. In some embodiments, the patterns of cyber activity are indicative of cyber attacks on other organizations with network connectivity. In another exemplary embodiment, the insurability rating is determined using an inverse proportionality relationship with respect to the real-time damage assessment. In yet another exemplary embodiment, the insurability rating is determined based in-part on existing cybersecurity countermeasures that are deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service. In some embodiments, the insurability rating is modified based on changes in the cybersecurity countermeasures deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service.
In another exemplary embodiment, the above noted method further includes providing one or more of the following to an entity that is interested in obtaining or maintaining insurance coverage for the product or service: (a) information regarding the real-time damage, (b) information regarding the likelihood of occurrence of the one or more cyber attacks, (c) information regarding the likelihood of success of the one or more cyber attacks, (d) information regarding the measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks, (e) a recommendation for obtaining additional cybersecurity countermeasures, or (f) a particular cybersecurity countermeasure.
Another aspect of the technology relates to a computer program product, embodied on one or more non-transitory computer media, that includes program code for receiving real-time data from a computer network at a processor that is implemented at least in-part by electronic circuitry, where the real-time data is indicative of cyber attacks that are likely to diminish a value of the product or service. The computer program product further includes program code for processing by the processor the real-time data to compute real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, where the damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The computer program product further includes program code for determining by the processor an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, where the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
Another aspect of the technology relates to a device that includes a processor implemented using electronic circuitry, and a memory comprising processor executable code. The processor executable code, when executed by the processor, causes the device or the components of the device to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service, and process the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks. The damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The processor executable code, when executed by the processor, further causes the device or the components of the device to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, where the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
Another aspect of the technology relates to a system for determining insurability rating of a service or product that includes a server device coupled to a computer network to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service and to produce an insurance premium estimate based at least in-part on the received real-time data. The system also includes a client device coupled the computer network to receive the insurance premium estimate produced by the server device. The server device uses the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, where the damage assessment is computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The sever device determines an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, where the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
In the following description, for purposes of explanation and not limitation, details and descriptions are set forth in order to provide a thorough understanding of the disclosed embodiments. However, it will be apparent to those skilled in the art that the present invention may be practiced in other embodiments that depart from these details and descriptions. Additionally, in the subject description, the word “exemplary” is used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word exemplary is intended to present concepts in a concrete manner.
Cyber insurance can, in principle, be an important risk-management tool for strengthening IT security and reliability for companies. There may be many parties involved in the cyber insurance industry including underwriters, agents, and clients, code writers, inspectors, and vendors of products and services, working together to provide the needed coverage for the policy holders.
In some cases, specialized policies can cover losses from computer viruses or other malicious code, destruction or theft of data, business interruption, denial of service, and/or liability resulting from e-commerce or other networked IT failures. In some other cases, insurance policies for cyber insurance may cover the cost of legal disputes arising from cyber attacks on the insurance policy holder's digital assets. In still other cases, cyber insurance policies may specifically exclude certain coverages such as to exclude coverage of “electronic data,” “computer code,” and other similar terms as tangible property.
For an insurance policy, the deductible may play an important role in managing cyber security risk. For example, the deducible amount may be a way of lowering the insurance company's risk since a higher deductible can reduce the amount for paying out on a claim. In particular, higher deductibles can be imposed for companies with greater cyber security risks, such as those companies with consistently lower investment in cyber security, with poor security controls or with inadequate IT staff, among other factors. From a risk management point of view, it is important for a company to understand that deductibles affect the premiums. A lower deductible can lead to a higher premium, and vice versa.
Premiums can vary according to specific situation and the amount of coverage, and can range from a few thousand dollars for base coverage for small businesses to several hundred thousand dollars for major corporations with comprehensive coverage. Premiums may depend on the individual company's security risk exposure and can vary substantially depending on the insurance provider. For example, the premiums may depend on the number of computers affected, company level dollar loss distribution, and the timing of the breach event. Premiums may also depend on the industry the company is operating in. For example, a company operating in the high-tech area may rely on computers more with more exposure to computer risks, which leads to a higher premium. A premium may further depend on the elements of the insurance contract, such as the settlement amount that is paid, the occurrence of the event covered by the contract, and the time when the settlement is paid.
Before issuing a cyber insurance policy, an insurance carrier may require audits by independent IT security consultants on a case-by case basis, depending on the risks to be covered and the policy limits sought. To this end, a cyber insurance underwriter may first ask prospective clients to complete an information security assessment that covers items such as: standard configurations with security documentation for firewalls, routers, and operating systems, information security policies, including password management, virus protection, encryption, and security training for employees, vulnerability monitoring and patch management, physical security and access controls, including remote access, privacy and confidentiality policies, backup and restoration provisions, business continuity planning, periodic testing of security controls, and outsourcing and other third-party security provisions.
Various parties of the cyber insurance industry, such as underwriters, agents, and clients, code writers, inspectors, and vendors of products and services, may interact using modern insurance information systems. An insurance information system may need wide functionality, including both traditional tasks of information systems like data processing and storing and more advanced functions that has been traditionally done by humans such as risk evaluation.
These tasks, while may have been sufficiently carried out for traditional insurance policies, suffer from major drawbacks in the realm of cyber insurance due to proliferation of online cyber attacks that can simultaneously and quickly breach many computer systems, databases and networks and result in loss of data, compromise of financial, medical or military secrets or assets. Therefore, there is an urgent need to continuously monitor and predict cyber space activities and relate those activities to risks to an insured (or insurable) product or service. Using such a real-time insurance assessment system benefits both the insured and the insurer by allowing a more accurate and realistic risk assessment to take place, as well as enabling the insurer to quickly alert the insured of impending attacks or existing security vulnerabilities. Further, such a system can be used to create offers for clients and make insurance deals online, to process insurance cases automatically and to automate many other tasks.
In various embodiments, the technology determines one or more cyber insurance policies and/or products based on a company's real-time exposure to a cyber attack on one or more of its computing assets (e.g., a computer serving company data). The technology performs various security analysis techniques to explore, locate, and evaluate a company's assets for creating risk and damage assessments that are used to dynamically determine cyber insurance policies/products that are tailored to that company at that moment of time and, optionally, based on future projections. The technology can continuously or semi-continuously monitor the company's network for any changes to assets and, if changes are detected that could affect the company's exposure to a cyber attack, information associated with the detected changes is fed back to aspects of the technology that are configured to determine new/modified cyber insurance policies/products.
In various embodiments, the technology identifies computing assets' (e.g., computers, servers, mobile devices, databases, storage technology, cloud infrastructure, network appliances, intrusion detection systems (IDSs), firewalls, etc.) vulnerabilities that may be used in a cyber attack for exploiting resources (e.g., consumer data, such as credit card numbers) stored in or accessible to a company's network(s). Vulnerabilities are identified using various network security audit standards and technologies, such as the Payment Card Industry Data Security Standard (PCI DSS), other standard(s) and/or one or more penetration tests for analyzing assets for various vulnerabilities that may be exploited via internal and/or external cyber attacks. Security audits, in some embodiments, determine the feasibility of a particular set of real and/or potential attack vectors, identify higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence, assess the magnitude of potential business and operational impacts of successful attacks, test the ability of network defenders (e.g., security personal, firewalls, IDSs, etc.) to successfully detect and respond to the cyber attacks, and provide evidence to support increased investments in technology and insurance. Damage values are assigned to tangible (e.g., theft of credit card numbers) and/or intangible (e.g., reputation) losses associated with an occurrence of one or more cyber-attacks which could successfully exploit an assets' software and/or hardware vulnerabilities.
For example, the technology can determine that an asset storing trade secrets and credit card information has a higher economic damage value than a value associated with a redundant publically accessible webserver. Damage values are, in various embodiments, adjusted based on various damage indicators, such as the complexity and/or sophistication required to execute an exploit, availability of an exploit, a likelihood of the occurrence a cyber-attack, and/or likelihood of success of a cyber-attack. For example, an asset storing trade secrets can have an increased damage value if the asset is vulnerable to, e.g., more than one exploit, less complex exploits, and/or widely known exploits. Based at least on a damage value associated with an asset, the technology, in some embodiments, is configured to dynamically determine an amount of insurance for sufficiently insuring against the occurrence of the cyber-attack. In various embodiments, the technology automatically and periodically performs real-time security audits to continuously or semi-continuously reassess a company's vulnerability to new cyber threats and dynamically determine new damage values and, in response, corresponding new recommendations for insurance coverage.
In some embodiments, the technology is a computer program product or service, a device or a system configured with program code for receiving real-time data indicative of cyber attacks that are likely to diminish a value of the product or service. For example, the technology can leverage various databases, websites, the darknet, bit torrents, and/or other networks and data sources for determining known exploits and/or generate new or modify versions of known exploits. The program code is configured to process real-time data to compute a real-time damage assessment associated with losses for an occurrence of one or more cyber attacks. For example, the damage assessment can be computed using a likelihood of the occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product or service as a result of the occurrence of the one or more cyber attacks. The program code, in various embodiments, is configured with technology that determines an insurability rating for the product or service for insuring against the cyber attacks. The insurability rating is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, at least in-part based on the real-time damage indicator and is changeable in response to changes in the received real-time data.
In various embodiments, the technology determines asset risk assessments, asset damage assessments, and customer risk assessments. Assessments are snapshots of real-time asset and/or company behavior based on various indicators and expressed as simple values, such as a number, percentage, hash, etc. Each asset, in one or more embodiments, is associated with one or more profiles or other data structures (“profiles”) that are associated with indicators that define asset and/or company characteristics and are used by the technology as variables for calculating assessment value. For example and as further described below, the technology can determine that an asset (e.g., a server) has a risk assessment of 8 out of 10 (i.e., 0.8) based on various indicators in that asset's profile, such as being a public server (i.e., a first indicator) operating using an older operating system and/or other software products (i.e., a second indicator) that has known vulnerabilities (i.e., a third indicator). That asset (e.g., the server described above) is also, in one or more embodiments, associated with a damage assessment, which is a measure of a company's estimated loss of capital and/or intangible losses (e.g., loss due to an adverse effect to company reputation) if the asset were compromised by a cyber-attack. Similar to the determination of the risk assessment, a damage assessment for the server mentioned above could be, for example, 3 out of 10 (i.e., 0.3) because the server stores lower valued webpages and, if compromised, would not negatively affect the company's reputation. By determining respective snapshots associated with risk and damage, the technology can efficiently and quickly identify, in real-time, assets at most risk of being compromised, associated losses and, in response, recommend insurance policies based on a company's unique circumstance and preferences. In some embodiments, multiple risk assessments are combined into a single meta-value that represents some or all of a company's assessments (e.g., a company's subsidiaries, different departments, or portions of a network).
In some embodiments, a profile is referenced for determining a company risk assessment, i.e., the level of risk associated with a specific company based on, for example, various indicators such as an amount of capital the company is willing to invest in cyber insurance, its risk tolerance, the number of assets to insure, existing security measures (e.g., an implemented network operating center (NOC), staff, and/or disaster recovery protocols), whether the company is high profile, the company's business, any history of attacks and their success, etc. Company risk profiles are automatically and/or manually determined and, in various embodiments, include a company's threshold tolerance for preventing and/or insuring against a determined level of financial loss (e.g., up to $2 million USD) as a result of the occurrence of the cyber-attack on an asset.
In one more embodiments, based on one or more indicators of the asset risk profile, asset damage profile, and/or company risk profile, the technology determines one or more insurance policies/products specific to the company. In various embodiments, the technology continuously, or on a schedule, updates the profiles based on changes to the assets or company (e.g., a new asset is added or an asset is recommissioned, critical data is moved, new vulnerabilities are discovered, etc.). In response to the changes to one or more of the profiles, the technology dynamically and automatically determines a new policy tailored to the changed profiles. This feedback technique allows the company to efficiently and comprehensively understand, in real time, where it has vulnerabilities and how best to insure against losses.
Referring to
The input devices 102 may include a keyboard, a pointing device such as a mouse, and described technology for receiving human voice, touch, and/or sight (e.g., a microphone, a touch screen, and/or smart glasses). Other input devices are possible such as a joystick, pen, game pad, scanner, digital camera, video camera, and the like. The data storage devices 104 may include any type of computer-readable media that can store data accessible by the computer 100, such as magnetic hard and floppy disk drives, optical disk drives, magnetic cassettes, tape drives, flash memory cards, digital video disks (DVDs), Bernoulli cartridges, RAMs, ROMs, smart cards, etc. Indeed, any medium for storing or transmitting computer-readable instructions and data may be employed, including a connection port to or node on a network, such as a LAN, WAN, or the Internet (not shown in
Aspects of the described technology may be practiced in a variety of other computing environments. For example, referring to
At least one server computer 208, coupled to the network 206, performs some or all of the functions for receiving, routing, and storing of electronic messages, such as security data, web pages, audio signals, electronic images, and/or other data. While the Internet is shown, a private network, such as an intranet, may be preferred in some applications. The network may have a client-server architecture, in which a computer is dedicated to serving other client computers, or it may have other architectures, such as a peer-to-peer, in which one or more computers serve simultaneously as servers and clients. A database or databases 210, coupled to the server computer(s), store some content (e.g., security-related data) exchanged between the user computers; however, content may be stored in a flat or semi-structured file that is local to or remote of the server computer 208. The server computer(s), including the database(s), may employ security measures to inhibit malicious attacks on the system and to preserve the integrity of the messages and data stored therein (e.g., firewall systems, secure socket layers (SSL), password protection schemes, encryption, and the like).
The server computer 208 may include a server engine 212, a security management component 214, an insurance management component 216, and a database management component 218. The server engine 212 performs basic processing and operating system level tasks. The security management component(s) 214 handle creation, streaming, processing and/or routing of networking and/or security data. Security management components 214, in various embodiments, includes other components and/or technology, such as an asset risk component, asset damage component, company risk component and/or other components and/or assessment technologies, described below. Users may access the server computer 208 by means of a network path associated therewith. The insurance management component 216 handles processes and technologies that support the collection, managing, and publishing of insurance and/or cyber-related data and information, and other data. The database management component 218 includes storage and retrieval tasks with respect to the database, queries to the database, and storage of data. In some embodiments, multiple server computers 208 each having one or more of the components 212-218 may be utilized. In general, the user computer 202 receives data input by the user and transmits such input data to the server computer 208. The server computer 208 then queries the database 210, retrieves requested pages, performs computations and/or provides output data back to the user computer 202, typically for visual display to the user. Additionally, or alternatively, the user computers 202 may automatically, and/or based on user computers' 202 settings/preferences, receive various information, such as alerts, updates, cyber security assessments, cyber security programs, etc., from the server computer 208.
Risk indicators 306 can define virtually any type of information that may affect an asset's exploitation and values of risk indicators 306 are specific to an asset. In other words, different assets, e.g., Asset B 304b and Asset n 304n, can have different indicators and/or types of indicators than the indicators 306 associated with Asset A 304a. As mentioned above, risk indicators 306 are used by the technology, in one or more embodiments, to determine a risk assessment 308, based on one or more predetermined algorithms. The risk assessment 308 is a snapshot of real-time risk to an asset (e.g., Asset A 304a) based on the indicators 306 that, in some embodiments, are being continuously or semi-continuously updated via new or continuing security assessments of the company's network. In other words, as assets change (e.g., an asset's operating system is updated) a new risk assessment 308 is automatically and/or manually determined.
One aspect of the disclosed technology relates to a computer-implemented cyber attack assessment method that includes identifying one or more software vulnerabilities for exploiting resources on one or more computing devices, assigning a damage value associated with tangible and intangible losses for an occurrence of one or more cyber attacks exploiting the one or more software vulnerabilities, and dynamically determining an amount of insurance for sufficiently insuring against the occurrence of the one or more cyber attacks exploiting the one or more software vulnerabilities, wherein the amount of insurance is at least based on the damage value. In some embodiments, such a method further includes periodically determining a new amount of insurance based on identifying one or more new software vulnerabilities for exploiting resources on the one or more computing devices.
In another aspect of the technology, a computer-readable storage device stores instructions that, upon execution by a processor of a computing system, cause the computing system to perform a method for insuring against cyber attacks within a network. The method includes determining an asset profile for a target asset, and assigning a risk rating to the target asset, wherein the risk rating is a measure of: (a) vulnerability of the target asset to a present or future cyber attack and (b) a cost associated with an occurrence of the cyber attack on the target asset. Such a method further includes identifying a customer risk profile associated with preventing the occurrence of the cyber attack on the target asset, and dynamically determining one or more financial instruments for insuring against the occurrence of the cyber attacked on the target asset, based at least on the risk rating and the customer risk profile.
In some embodiments, the asset profile includes characteristics descriptive of software products and data installed on the target asset. In some embodiments, the customer risk profile includes a threshold tolerance for preventing a determined level of financial loss as a result of the occurrence of the cyber attack on the target asset. In some embodiments, the one or more financial instruments insure against the occurrence of the cyber attack based on the determined level of financial loss. In some embodiments, the above noted method further includes dynamically and periodically determining one or more new vulnerabilities and, in response to determining the one or more new vulnerabilities, assigning a new risk rating and determining one or more new financial instruments for insuring against an occurrence of a new cyber attack based on the one or more new vulnerabilities.
The complexity of the computer related security threats makes it hard for small companies to have the most updated information and the skills needed to cope with the ongoing and increasing threats faced every day in the world. Computer security personal are highly skilled, hard to find, and highly paid. Therefore it is unrealistic for small companies to be able to maintain the most up to up-to-date defenses against the ever increasing attacks on computer assets. The insurance company, on the other hand, has to hire the highly skilled computer security personal to perform the security analysis, to keep updated with the most recent attacks with new methods. Therefore the insurance company can play a preventive role on behalf of many small companies by sharing the computer security expertise, developing defense guidelines, and distributing such defense guidelines and strategies among the insured companies. In this way, the insurance company can bear, or share with the small companies, the costs associated with combatting computer security threats while providing better defenses against new attacks.
Referring again to
One aspect of the disclosed technology relates to determination of insurability of a product or service based on real-time cyber activity, which can lead to a determination of an insurance premium for the product or service. The insurability rating provides a measure as to insurability of the product or service. Examples of products or services include consumer data (e.g., credit card information, personal information) that is stored on a network-accessible storage unit, cloud computing resources that are provided to paying customers, social media services, financial information, financial services, and others. In the context of the disclosed examples, a high insurability rating is commensurate with having a product or service that is easily insurable (e.g., there is a lower risk of damage to the product or service), whereas a low insurability indicates that there is a higher risk of damage to the product or service. It is however, understood that such an inverse correlation between the insurability rating and damage risk is merely provided for the sake of illustration, and other relationships (e.g., direct correlation) can also be used. The insurability rating can be a number or a range of numbers. For instance, in one implementation, the insurability rating is a number between 0 and 100, whereas in another implementation, the insurability rating is represented by high (e.g., ratings in range 80 to 100), medium (e.g., ratings in range 60 to 79) and low (e.g., ratings in range 0 to 59).
Referring again to
The insurability rating can be used to produce an insurance premium value for the product or service. Such an insurance premium can also be affected by other factors, such as the length of relationship between the insurer and the organization or person that is seeking insurance (the “insured”), the insurance premiums offered by other insurers, existence of other insurance polices for the product or service, discounts based on the number of other products or services that are insured by the same insurer, and other factors.
One of the advantages of the disclosed technology relates to the use of real-time data that allows dynamic and up-to-date computation of the damage assessment based on cyber activities that are being continuously monitored. For instance, in one exemplary implementation, the real-time damage assessment is computed on an on-going basis based on changes in the real-time data with a time granularity of 1 micro second or less. Thus, through, for example, monitoring world-wide attacks on particular assets or organizations, the damage assessment can be updated almost instantaneously to allow certain mitigating actions to be triggered. A number or a range of numbers can represent the damage assessment. For instance, in one implementation, the damage assessment is a number between 0 and 100, whereas in another implementation, the damage assessment is represented by a set of three numbers indicative of high (e.g., ratings in range 80 to 100), medium (e.g., ratings in range 60 to 79) and low (e.g., ratings in range 0 to 59) values of the real-time damage assessment.
In one implementation, the real-time damage assessment is computed by an algorithm that uses a weighted average technique. This technique assigns a first weight to an indicator representative of a likelihood of the occurrence of the one or more cyber attacks, assigns a second weight to an indicator representative of a the likelihood of success of the one or more cyber attacks, and a third weight to an indicator representative of the measure of severity of damage to the product of service. The weights can be indicative of the importance of each of the associated indicators of likelihood and/or measure. Further, each of the likelihood of the occurrence of the one or more cyber attacks, the likelihood of success of the one or more cyber attacks, and the measure of severity of damage to the product of service can be determined using historical information associated with previously launched cyber attacks against the products or the service.
The historical information is typically obtained based on attacks, damages and success rates of previous cyber attacks. For example, the historical information can include a number of previous cyber attacks against the product or service, a rate of success of previous cyber attacks against the product or service, an amount of damage to the service or product caused by the previous cyber attack(s), or a frequency of occurrence of cyber attacks against other entities that offer products or services that are similar to the product and service. In one example, the damage caused by breach of financial data at one financial instruction is used to produce a measure of damage for another financial institution. The disclosed technology enables the likelihood of a cyber attack to be produced by analyzing the patterns of cyber activity over a large number of data networks, which can all be carried out in real-time as those evolve over time.
The damage assessment can be used to compute the insurability rating. In one example, computation of the insurability rating includes processing the real-time damage assessment over a pre-determined time interval and then determining a statistical value associated with several of the insurability rating values over that pre-determined time interval. An example of the statistical value is an average of several insurability rating values over the pre-determined time interval. In one variation, the statistical value is a weighted average of the plurality of insurability rating values over the pre-determined time interval. In this scenario, the weights can be assigned or determined using different techniques that would allow easy adaptation and correlation to the changes in the real-time data. For example, in computing the average value, insurability rating values that correspond to later time instances within the predetermined time interval are given a larger weight compared to the insurability rating values that correspond to earlier time instances within the predetermined time interval.
The choice of the pre-determined time interval is often left to the designer of the system and can be based on system capabilities and recourses, observed time-dependence of cyber activity patterns, importance of the product or service, and other factors. For example, the time interval can be set to be one hour, one day, one week or one month. The pre-determined time interval can also be set to an initial value, and can then be changed based on changes in the system resources, cyber activity patterns, customer requests, or other factors. It should be noted that in some instances it might be beneficial to compute more than one insurability rating so as to ascertain a trend in insurability rating over time, or for other reasons that facilitate the determination of the proper premium. For example, both a short-term and a long-term insurability rating can be computed, with the short-term insurability rating spanning a time period in the range of, e.g., one hour to one day, and the long-term insurability corresponding to a time period that is, e.g., greater than one day and up to one month.
In some implementations, the insurability rating is determined based in-part on the existing cybersecurity countermeasures that are being deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service. Examples of such cyber security countermeasures include firewalls, anti-virus software, system alerts, fail-safe measures that, for example, limit the amount of loss to the product or service (e.g., cash withdrawal limits), biometric authorization protections and others administrative or physical security measures. In some implementations, the insurability rating is modified dynamically based on changes in cybersecurity countermeasures that are deployed to protect the assets. For example, upon a detection that deployed anti-virus software has expired or has become outdated, the insurability rating can correspondingly change to reflect a higher risk to the asset.
As noted in connection with operation 611 of
The device 800 in
The damage assessment computation component 806 can include sub-components (not shown) that parse the data received from the input port 802 or other device components, and route the appropriate data to other subcomponents (not shown) of the damage assessment computation component 806. For example, a routing subcomponent (not shown) can sift the incoming data to identify and route the following types of data to an aggregation subcomponent: data indicative of a likelihood of the occurrence of the one or more cyber attacks, data a likelihood of success of the one or more cyber attacks, and data indicative of a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks. The damage assessment computation component 806 can also include one or more subcomponents (e.g., an aggregation subcomponent) that are configured to assign weights, compute averages, and modify data to determine a damage assessment value or values.
The device 800 also includes an insurability rating computation component 808 that is coupled to the damage assessment computation component 806 and is configured to receive a damage assessment value or values and to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks. The insurability rating computation component 808 is configured to receive the damage assessment values on a real-time basis and use them to produce and update insurability ratings in response to changes in the real-time data. The insurability rating computation component 808 can also include subcomponent (not shown) that are configured to assign weights, compute averages, and modify data to determine the insurability rating. The insurability ratings can be communicated to outside components (not shown) using the output port 804. Examples of those outside components include a monitor, a storage device (e.g., RAM, Optical or Magnetic disks, etc.), a printer and a networked computing device.
It should be noted that to avoid clutter,
The device 800 that is depicted in
The components or modules that are described in connection with the disclosed embodiments can be implemented as hardware, software, or combinations thereof. For example, a hardware implementation can include discrete analog and/or digital circuits that are, for example, integrated as part of a printed circuit board. Alternatively, or additionally, the disclosed components or modules can be implemented as an Application Specific Integrated Circuit (ASIC) and/or as a Field Programmable Gate Array (FPGA) device. Some implementations may additionally or alternatively include a digital signal processor (DSP) that is a specialized microprocessor with an architecture optimized for the operational needs of digital signal processing associated with the disclosed functionalities of this application.
Various embodiments described herein are described in the general context of methods or processes, which may be implemented in one embodiment by a computer program product, embodied in a computer-readable medium, including computer-executable instructions, such as program code, executed by computers in networked environments. A computer-readable medium may include removable and non-removable storage devices including, but not limited to, Read Only Memory (ROM), Random Access Memory (RAM), compact discs (CDs), digital versatile discs (DVD), Blu-ray Discs, etc. Therefore, the computer-readable media described in the present application include non-transitory storage media. Generally, program modules may include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Computer-executable instructions, associated data structures, and program modules represent examples of program code for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps or processes.
While this document contains many specifics, these should not be construed as limitations on the scope of an invention that is claimed or of what may be claimed, but rather as descriptions of features specific to particular embodiments. Certain features that are described in this document in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable sub-combination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a sub-combination or a variation of a sub-combination. Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results.
Claims
1. A computer program product, embodied on one or more non-transitory computer media, comprising:
- program code for receiving real-time data from a computer network at a processor that is implemented at least in-part by electronic circuitry, the real-time data indicative of cyber attacks that are likely to diminish a value of the product or service;
- program code for processing by the processor the real-time data to compute real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, the damage assessment computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks; and
- program code for determining by the processor an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, wherein the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
2. The computer program product of claim 1, further comprising program code for producing an insurance premium value for the product or service using the insurability rating.
3. The computer program product of claim 1, wherein the real-time damage assessment is computed on an on-going basis based on changes in the real-time data with a time granularity of 1 micro second or less.
4. The computer program product of claim 1, wherein the insurability rating is produced at least in-part by:
- processing the real-time damage assessment over a pre-determined time interval and determining a statistical value associated with a plurality of insurability rating values over the pre-determined time interval.
5. The computer program product of claim 4, wherein the statistical value is an average of the plurality of insurability rating values over the pre-determined time interval.
6. The computer program product of claim 4, wherein the statistical value is a weighted average of the plurality of insurability rating values over the pre-determined time interval, and wherein an insurability rating value that corresponds to a later time instance within the predetermined time interval is assigned a larger weight compared to an insurability rating value that corresponds to an earlier time instance within the predetermined time interval.
7. The computer program product of claim 4, wherein the pre-determined time interval is one of: one hour, one day, one week or one month.
8. The computer program product of claim 1, further comprising program code for determining at least one additional insurability rating based on the real-time data, wherein one of the insurability rating or the additional insurability rating corresponds to a short-term insurability rating, and the other of the insurability rating or the additional insurability rating corresponds to a long-term insurability rating.
9. The computer program product of claim 8, wherein the short-term insurability rating corresponds to a time period ranging from one hour to one day, and wherein the long-term insurability rating corresponds to a time period that is greater than one day and up to one month.
10. The computer program product of claim 1, wherein the real-time damage assessment is computed using a weighted average technique that assigns a first weight to the likelihood of occurrence of the one or more cyber attacks, a second weight to the likelihood of success of the one or more cyber attacks, and a third weight to the measure of severity of damage to the product of service.
11. The computer program product of claim 1, wherein each of the likelihood of occurrence of the one or more cyber attacks, the likelihood of success of the one or more cyber attacks, and the measure of severity of damage to the product of service is determined using historical information associated with previously launched cyber attacks against the product or the service.
12. The computer program product of claim 11, wherein the historical information includes one or more of: a number of previous cyber attacks against the product or service, a rate of success of previous cyber attacks against the product or service, an amount of damage to the service or product caused by a previous cyber attack, or a frequency of occurrence of cyber attacks against other entities that offer products or services that are similar to the product and service.
13. The computer program product of claim 1, wherein the likelihood of occurrence of the one or more cyber attacks is produced by analyzing data associated with patterns of cyber activity over a plurality of data networks in real-time.
14. The computer program product of claim 13, wherein the patterns of cyber activity include indications of cyber attacks on organizations with network connectivity.
15. The computer program product of claim 1, wherein the insurability rating is determined using an inverse proportionality relationship with respect to the real-time damage assessment.
16. The computer program product of claim 1, wherein the insurability rating is determined based in-part on existing cybersecurity countermeasures that are deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service.
17. The computer program product of claim 16, wherein the insurability rating is modified based on changes in the cybersecurity countermeasures deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service.
18. The computer program product of claim 1, further comprising program code using the computer network for providing one or more of the following to an entity for obtaining or maintaining insurance coverage for the product or service:
- information regarding the real-time damage,
- information regarding the likelihood of occurrence of the one or more cyber attacks,
- information regarding the likelihood of success of the one or more cyber attacks,
- information regarding the measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks,
- a recommendation for obtaining additional cybersecurity countermeasures, or
- a particular cybersecurity countermeasure.
19. A method for producing insurability ratings for a product or service, the method comprising:
- receiving, at a processor that is implemented at least in-part by electronic circuitry and coupled to a computer network, real-time data indicative of cyber attacks that are likely to diminish a value of the product or service;
- using the processor to process the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, the damage assessment computed using at least a likelihood of the occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks; and
- using the processor to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, wherein the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
20. The method of claim 19, further comprising using the insurability rating to produce an insurance premium value for the product or service.
21. The method of claim 19, wherein the real-time damage assessment is computed on an on-going basis based on changes in the real-time data with a time granularity of 1 micro second or less.
22. The method of claim 19, wherein the insurability rating is produced at least in-part by:
- processing the real-time damage assessment over a pre-determined time interval and determining a statistical value associated with a plurality of insurability rating values over the pre-determined time interval.
23. The method of claim 22, wherein the statistical value is an average of the plurality of insurability rating values over the pre-determined time interval.
24. The method of claim 22, wherein the statistical value is a weighted average of the plurality of insurability rating values over the pre-determined time interval, and wherein insurability rating values that correspond to later time instances within the predetermined time interval are assigned a larger weight compared to insurability rating values that correspond to earlier time instances within the predetermined time interval.
25. The method of claim 22, wherein the pre-determined time interval is one of: one hour, one day, one week or one month.
26. The method of claim 19, further comprising determining at least one additional insurability rating based on the real-time data, wherein one of the insurability rating or the additional insurability rating corresponds to a short-term insurability rating, and the other of the insurability rating or the additional insurability rating corresponds to a long-term insurability rating.
27. The method of claim 26, wherein the short-term insurability rating corresponds to a time period ranging from one hour to one day, and wherein the long-term insurability rating corresponds to a time period that is greater than one day and up to one month.
28. The method of claim 19, wherein the real-time damage assessment is computed using a weighted average technique that assigns a first weight to the likelihood of occurrence of the one or more cyber attacks, a second weight to the likelihood of success of the one or more cyber attacks, and a third weight to the measure of severity of damage to the product of service.
29. The method of claim 19, wherein each of the likelihood of occurrence of the one or more cyber attacks, the likelihood of success of the one or more cyber attacks, and the measure of severity of damage to the product of service is determined using historical information associated with previously launched cyber attacks against the product or the service.
30. The method of claim 29, wherein the historical information includes one or more of: a number of previous cyber attacks against the product or service, a rate of success of previous cyber attacks against the product or service, an amount of damage to the service or product caused by a previous cyber attack, or a frequency of occurrence of cyber attacks against other entities that offer products or services that are similar to the product and service.
31. The method of claim 19, wherein the likelihood of occurrence of the one or more cyber attacks is produced by analyzing data associated with patterns of cyber activity over a plurality of data networks in real-time.
32. The method of claim 31, wherein the patterns of cyber activity are indicative of cyber attacks on other organizations with network connectivity.
33. The method of claim 19, wherein the insurability rating is determined using an inverse proportionality relationship with respect to the real-time damage assessment.
34. The method of claim 19, wherein the insurability rating is determined based in-part on existing cybersecurity countermeasures that are deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service.
35. The method of claim 34, wherein the insurability rating is modified based on changes in the cybersecurity countermeasures deployed to protect computers, networks or storage units that participate in storage, production or distribution of the product or service.
36. The method of claim 19, further comprising providing one or more of the following to an entity that is interested in obtaining or maintaining insurance coverage for the product or service:
- information regarding the real-time damage,
- information regarding the likelihood of occurrence of the one or more cyber attacks,
- information regarding the likelihood of success of the one or more cyber attacks,
- information regarding the measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks,
- a recommendation for obtaining additional cybersecurity countermeasures, or
- a particular cybersecurity countermeasure.
37. A device, comprising:
- a processor implemented using electronic circuitry; and
- a memory comprising processor executable code, the processor executable code, when executed by the processor, causes the device or the components of the device to:
- receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service;
- process the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, the damage assessment computed using at least a likelihood of occurrence of one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks; and
- determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, wherein the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
38. A device for generating insurability ratings for a product or service, comprising:
- a first input port coupled to a network communication channel to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service;
- a damage assessment computation component that is implemented at least in-part using electronic circuits, the damage assessment computation component coupled to the first input port to receive the real-time data and compute a real-time damage assessment measure associated with losses to the product or service due to occurrence of one or more cyber-attacks, the damage assessment computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attack; and
- an insurability rating computation component that is implemented at least in-part using electronic circuits and coupled to the damage assessment computation component, the insurability rating computation component to receive the real-time damage indictor computed by the damage assessment computation component and to determine an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, wherein the insurability rating is determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
39. A system for determining insurability rating of a service or product, comprising:
- a server device coupled to a computer network to receive real-time data indicative of cyber attacks that are likely to diminish a value of the product or service and to produce an insurance premium estimate based at least in-part on the received real-time data;
- a client device coupled the computer network to receive the insurance premium estimate produced by the server device, wherein: the server device uses the real-time data to compute a real-time damage assessment associated with losses to the product or service due to occurrence of one or more cyber-attacks, the damage assessment computed using at least a likelihood of occurrence of the one or more cyber attacks, a likelihood of success of the one or more cyber attacks, and a measure of severity of damage to the product of service as a result of the occurrence of the one or more cyber attacks, and the sever device determines an insurability rating for the product or service that is usable for determination of an amount of insurance that sufficiently insures against the occurrence of the one or more cyber attacks, the insurability rating determined at least in-part based on the real-time damage assessment and is changeable in response to changes in the received real-time data.
Type: Application
Filed: Oct 20, 2015
Publication Date: Apr 21, 2016
Inventor: Marc Lauren Abramowitz (Palo Alto, CA)
Application Number: 14/918,398