KREBS CRABINESS AND INSURERS AS REGULATORS

Michael Sean Quinn, Ph.D., J.D., c.p.c.u. . . .
The Law Firm of Michael Sean Quinn et
Quinn and Quinn
                                 1300 West Lynn Street, Suite 208
                                             Austin, Texas 78703
                                                 (512) 296-2594
                                            (512) 344-9466 – Fax

                                E-mail:  mquinn@msquinnlaw.com


Notice the involvement of lawyers in what appears to be a problem in cyber crime connected to cyber insurance. Notice how lawyers might be involved in insurance underwriting.  It’s more frequently that way than one might think. 

As Krebs, of the Internet publication KrebsonSecurity, has pointed out many times, cyber attacks and therefore defenses systems at least tend to focus on the accounts, credit cards, and other information of customers, not those of the institutions themselves.  The cyber systems of institutions, e.g., retailers and banks are minimally protected. Here’s how he put in on February 16, 2015: “Most organizations–even may financial institutions–aren’t up to defeat skilled attackers; their network security is built around ease-of-use, compliance, and/or defeating auditors and regulators.” 


Leaving itself unprotected in order to pursue its own short-term interests? So much for financial responsibility? So much for transparency?  Krebs and others have conjectured that bank losses may be has high as a $billion, and those may be just U.S. losses.  

Obviously these systems need further and better regulation. Insurance underwriting can provide it.  If insurers require that financial institutions to provide better–better yet, maximum–protection for their networks, rather than simply enough to protect themselves from regulators, everybody’s money and pocket books would be better off. 

Insurers should require this in all sorts of insurance policies, even those that are not directly connected to cyber insurance, although they should most assuredly do in in cyber policies.  I don’t see why they couldn’t be in CGL, D&O, and even vehicle policies, e.g., those for transporting ATM money.   I don’t see why they could not apply to first-party property policies, such as those for computers and buildings.  After all, a sophisticated cyber attach might affect either of these types of systems. 

Why should this be done? Because all of these “variations” will maximize protection at given points of evolving history and decrease successful attacks in all sorts of ways. 

How might this regulation work? Insurance applications should insist that applicants have the best in hack protection.  This may require special drafting.  That can be done by cyber sophisticated underwriters, or underwriting consultants, cyber forensic engineers to some extent, by experts on hacking who understand how the English language for insurance contracts works, and by the right kinds of cyber and insurance lawyers.


Post Script #1

Social change always creates new segments of language and that is often new verbs–not to be confused with new verbiage; that word–the word verbiage–covers all the new language of whatever type.  I am most interested in pointing out that existing nouns are sometimes turned into verbs, as well as also being left nouns.  Sometimes new nouns are made into verbs. Here’s a good example: “Those villains put malware in my network.” Now here’s a change: “Those villains malwared me.”  This is not a new feature of the cyber world; it happens in ordinary language as well–sometimes long established language, sometimes newer language, e.g., that of technical economics. Old Language Example: In the Christian hymn “Praise the Almighty, the King of Creation,” there is a verse that has not been reprinted in anyone’s hymnal for at least one generation.  In that verse the singers–those praying in song–ask the Lord to “prosper” them. Now there’s a verb worth having, even if it does sound and run the danger of being idolatrous and therefore sinful. 


Here is another example.  Frequently in business situations, e.g., in claims adjusting inside insurance companies, there is such a think as a “round table discussion.” It is now correctly sayable that “We are going to roundtable and issue.”


[To be sure the following is not a burning question or any sort or to any degree, but: Is there such a thing as malware becoming worn or worn out? Relatedly, Is there such a thing as malworn malware? There might be great metaphors lying around her too.  What might one call an ageing, experienced but declining hacker? One might say that he is malworn out.