Home

What are your thoughts on cyber insurance? Should people get it?

The cyber insurance marketplace is like the wild, wild west. I don't know of anybody who's ever gotten a payout from their cyber insurance policies. We try and equate it to homeowner's insurance, or earthquake, or business interruption, or something like that, where it's really black or white. "Did the building collapse?" "Yes." "Okay, great. We'll cover 75% of the reconstruction of a new one." But, you can’t equate them to cyber. In the cyberspace, apply a cyber policy to auto insurance. They would go, "Well, your tire pressure wasn't exactly at 32 psi, well, that's one check off the box. You actually had a little bit of a fray on the timing belt, that's another check off of the box. You had your radio on, which is distracting driving, so that's a check off of the box." And then they whittle away, and basically say, "You're completely at fault. We're not covering anything, because, guess what? We wrote the policy such that if any one of these things, or the combination of them, you were not on top of every aspect of it, it's not our fault." The question is, are they getting it because people don't understand what it's really going to do, and it's a feel-good thing? Or are they getting it because they actually believe that at some level, it provides some financial risk mitigation. But it doesn't actually mitigate risk. It only mitigates the potential for a financial loss, because of the risk.

14838 views
8 comments
3 upvotes
Related Tags
Anonymous Author
The cyber insurance marketplace is like the wild, wild west. I don't know of anybody who's ever gotten a payout from their cyber insurance policies. We try and equate it to homeowner's insurance, or earthquake, or business interruption, or something like that, where it's really black or white. "Did the building collapse?" "Yes." "Okay, great. We'll cover 75% of the reconstruction of a new one." But, you can’t equate them to cyber. In the cyberspace, apply a cyber policy to auto insurance. They would go, "Well, your tire pressure wasn't exactly at 32 psi, well, that's one check off the box. You actually had a little bit of a fray on the timing belt, that's another check off of the box. You had your radio on, which is distracting driving, so that's a check off of the box." And then they whittle away, and basically say, "You're completely at fault. We're not covering anything, because, guess what? We wrote the policy such that if any one of these things, or the combination of them, you were not on top of every aspect of it, it's not our fault." The question is, are they getting it because people don't understand what it's really going to do, and it's a feel-good thing? Or are they getting it because they actually believe that at some level, it provides some financial risk mitigation. But it doesn't actually mitigate risk. It only mitigates the potential for a financial loss, because of the risk.
1 upvotes
Anonymous Author
We require our 3rd parties to carry it as a condition of doing business.
1 upvotes
Anonymous Author
Yes cyber insurance is expensive and there's doubt about payouts however as a public entity it is a requirement. So much head bashing is required with the underwriters to try and figure out the quantum. And I'd agree with all the other comments on this as well.
1 upvotes
Anonymous Author
Many of our customers require that we have it. One company I worked for had enough cash on hand where we could justify paying for an incident out of pocket and didn't carry insurance. I suspect that even if needed, there are likely so many caveats that payment would not be made anyway.
0 upvotes
Anonymous Author
As a public company we require that however the big argument is coverage never enough and evaluating of intangible assets
0 upvotes
Anonymous Author
Cyber insurance is a good thing to have, but could be very expensive. The network should be properly segregated when designed. Some protection to take educate your users (security awareness), not to open emails from people you don't know (hard to do depending on your business), but most importantly do not click on links in emails you don't know. A process should be in place to keep systems current (security updates and patches). Monitor users and service accounts. You can also hash the systems files and any changes you would detect with the proper monitoring tools. Security today cost a lot of money, but you have to get the appropriate skills on the job.
0 upvotes
Anonymous Author
Some pointers to consider: > premiums are negotiable - don’t take the first quote > how ‘perfect’ does operation of current controls need to be - is 95% ok for meeting patching targets? > will the payout (assume no more than policy limit) be sufficient to cover investigation, remediation and PR/marketing costs to recover from a breach or compromise? > how does the expected cost vs probability of compromise equate to a self-insured business case rather than annual premiums?
0 upvotes
Anonymous Author
After WannaCry and NotPetya resulted in major operational disruptions in big companies, cyber insurance has become more sought after. Yes, I think cyber insurance is needed as a form of limited cyber risk transfer against the inevitability of a breach and in particular against black swan events. The scope of applicability is typically against events that your BCP plan does not already cover. Having said that, if you are a critical infrastructure at a national level, cyber insurance does nothing to lower that risk.
0 upvotes