Is it a given that the loss isn’t covered by insurance?
There’s always a balance of risk and the cost of mitigating risk.
One way to mitigate risk is simply buying an insurance policy which in many cases may be cheaper than paying a security firm to protect yourself proactively.
Cyber insurance often includes things like coverage for a PR firm to help regain as much reputational damage that may have been incurred.
Many cyber insurance plans also includes coverage for paying ransoms.
(I’m playing devils advocate somewhat, buying insurance to protect against cyber is something companies should do alongside of taking a proactive approach to securing systems)
I am responsible for negotiating a cyberinsurance policy for a fintech, and the marketplace is drying up due to risk repricing. If it was my money, I wouldn't be backstopping anyone getting underwritten unless I can plug directly into their controls and observability systems to confirm their risk posture, as well as have an internal (to the insurer) IR team. I'd probably also require quarterly IR tabletops and red teaming without prior notification required. Less around process and attestation, more about real world validation.
Typically when applying for cyber insurance you submit a questionnaire which includes questions like “do all endpoints us AV” and “Do you use IDS on your network” etc, etc.
To a certain extent insurance shouldn’t need to verify controls if they’re able to have a company fill a questionnaire, and if their answers aren’t accurate the insurance carrier can use that as a basis for denying the claim.
I would hope any federal program (if one comes about) works similarly. “We will only cover incidents if we can verify after the fact that you had these controls and mitigation measures in place prior to the attack”
I cannot share our broker and insurers, but the process is no longer as simple as a questionnaire. They are asking to see systems and evidence, and frankly, I do not blame them.
> I would hope any federal program (if one comes about) works similarly. “We will only cover incidents if we can verify after the fact that you had these controls and mitigation measures in place prior to the attack”
Mostly the gist of my public comments. If you obtained cyber insurance under false pretenses, you not be getting federal dollars. But also, questionnaires alone are no longer sufficient (imho). Really want to prevent a repeat of FEMA. Incentives matter.
Just curious, are you able to share the coverage range for that level of diligence? My anecdotes are based on a $4m policy that costs around $10k/yr. It would make sense if there’s much more diligence for policies 10-100x larger.
full on SOC 2 and SSAE-18 investigations when my last job asked for it.
they couldn't complete some of those, and eventually just punted for lower levels of coverage. cost to meet their requirements exceeded the cost of the lower + coverage and expected loss. Cue the Fight Club recall scene.
The problem is the risk landscape is shifting under the policies. 5 years ago, ransoms were 100 K$ on the high end. Now they are 10 M$. The number of ransomware attacks per year has been tripling(!) year over year for the last few years. So, compared to five years ago, the probability of a claim against a policy increased by 30,000%.
Every single policy written 5 years ago is underwater and every single policy with a large coverage amount is so hilariously underwater that there is a good chance that they will ruin the insurer and all of their re-insurers. For instance, the courts recently ruled in favor of Merck for a 1.4 G$ claim due to the 2017 NotPetya cyberattack [1]. That alone was more than the premiums of the entire worldwide cybersecurity insurance industry in 2015 [2]. It is to the point where, from what I have heard recently, the cybersecurity insurance vendors have largely given up writing new policies with more than a few million dollars worth of coverage.
They want to stay in the business so they are ready when the risk landscape stabilizes, but profitable policies need the premiums to be tens to hundreds of times higher than the standard backward looking actuarial models would suggest. So, if your competitors are dumber than you are, they will give policies with ridiculously lower premiums, not realizing they are going to be bankrupt in a few years. The only way to write a competitive policy in that environment is to take a loss, but limit the coverage to bound the loss to something survivable. Then you hunker down until the risk landscape stabilizes and everybody writing dumb big policies dies allowing you to write new policies with correct, vastly higher, premiums.
There’s always a balance of risk and the cost of mitigating risk.
One way to mitigate risk is simply buying an insurance policy which in many cases may be cheaper than paying a security firm to protect yourself proactively.
Cyber insurance often includes things like coverage for a PR firm to help regain as much reputational damage that may have been incurred.
Many cyber insurance plans also includes coverage for paying ransoms.
(I’m playing devils advocate somewhat, buying insurance to protect against cyber is something companies should do alongside of taking a proactive approach to securing systems)