What are your thoughts on cyber insurance? Should people get it?

15.1k views3 Upvotes8 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed
The cyber insurance marketplace is like the wild, wild west. I don't know of anybody who's ever gotten a payout from their cyber insurance policies. We try and equate it to homeowner's insurance, or earthquake, or business interruption, or something like that, where it's really black or white. "Did the building collapse?" "Yes." "Okay, great. We'll cover 75% of the reconstruction of a new one." But, you can’t equate them to cyber.

In the cyberspace, apply a cyber policy to auto insurance. They would go, "Well, your tire pressure wasn't exactly at 32 psi, well, that's one check off the box. You actually had a little bit of a fray on the timing belt, that's another check off of the box. You had your radio on, which is distracting driving, so that's a check off of the box." And then they whittle away, and basically say, "You're completely at fault. We're not covering anything, because, guess what? We wrote the policy such that if any one of these things, or the combination of them, you were not on top of every aspect of it, it's not our fault."

The question is, are they getting it because people don't understand what it's really going to do, and it's a feel-good thing? Or are they getting it because they actually believe that at some level, it provides some financial risk mitigation. But it doesn't actually mitigate risk. It only mitigates the potential for a financial loss, because of the risk.
Chief Security Officer in Software, 10,001+ employees
We require our 3rd parties to carry it as a condition of doing business.
Senior Security and Compliance Auditor in Software, 1,001 - 5,000 employees
Many of our customers require that we have it. One company I worked for had enough cash on hand where we could justify paying for an incident out of pocket and didn't carry insurance. I suspect that even if needed, there are likely so many caveats that payment would not be made anyway.
Group Chief Information Officer in Construction, 5,001 - 10,000 employees
As a public company we require that however the big argument is coverage never enough and evaluating of intangible assets
Assistant Director IT Auditor in Education, 10,001+ employees
Cyber insurance is a good thing to have, but could be very expensive. The network should be properly segregated when designed. Some protection to take educate your users (security awareness), not to open emails from people you don't know (hard to do depending on your business), but most importantly do not click on links in emails you don't know. A process should be in place to keep systems current (security updates and patches). Monitor users and service accounts. You can also hash the systems files and any changes you would detect with the proper monitoring tools. Security today cost a lot of money, but you have to get the appropriate skills on the job.
CIO in Software, 501 - 1,000 employees
Some pointers to consider:
> premiums are negotiable - don’t take the first quote
> how ‘perfect’ does operation of current controls need to be - is 95% ok for meeting patching targets?
> will the payout (assume no more than policy limit) be sufficient to cover investigation, remediation and PR/marketing costs to recover from a breach or compromise?
> how does the expected cost vs probability of compromise equate to a self-insured business case rather than annual premiums?
CIO in Software, 2 - 10 employees
Yes cyber insurance is expensive and there's doubt about payouts however as a public entity it is a requirement. So much head bashing is required with the underwriters to try and figure out the quantum. And I'd agree with all the other comments on this as well.
VP of IT in Software, 1,001 - 5,000 employees
After WannaCry and NotPetya resulted in major operational disruptions in big companies, cyber insurance has become more sought after. Yes, I think cyber insurance is needed as a form of limited cyber risk transfer against the inevitability of a breach and in particular against black swan events. The scope of applicability is typically against events that your BCP plan does not already cover. Having said that, if you are a critical infrastructure at a national level, cyber insurance does nothing to lower that risk.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42k views131 Upvotes319 Comments

Exclusively via organization-managed desktops, laptops, and mobile devices (phones and tablets)40%

Via a hybrid of organization-managed AND employee owned desktops, laptops, and mobile devices (phones and tablets)50%

Exclusively via employee owned desktops, laptops, and mobile devices (phones and tablets)6%



1.6k views2 Upvotes

Cyber Security35%

Cloud Computing/Cloud Migration47%

Artificial Intelligence (AI) and Machine Learning (ML)66%

IoT (Internet of Things)27%

Digital Transformation:35%

WFH/Remote Work17%

Legacy Systems Modernization10%

Data Management14%



CIO in Education, 1,001 - 5,000 employees
We've basically had to absorb the cost and figure out how to defer other less important initiatives.
Read More Comments
2.3k views1 Upvote2 Comments