I cannot share our broker and insurers, but the process is no longer as simple as a questionnaire. They are asking to see systems and evidence, and frankly, I do not blame them.
> I would hope any federal program (if one comes about) works similarly. “We will only cover incidents if we can verify after the fact that you had these controls and mitigation measures in place prior to the attack”
Mostly the gist of my public comments. If you obtained cyber insurance under false pretenses, you not be getting federal dollars. But also, questionnaires alone are no longer sufficient (imho). Really want to prevent a repeat of FEMA. Incentives matter.
Just curious, are you able to share the coverage range for that level of diligence? My anecdotes are based on a $4m policy that costs around $10k/yr. It would make sense if there’s much more diligence for policies 10-100x larger.
full on SOC 2 and SSAE-18 investigations when my last job asked for it.
they couldn't complete some of those, and eventually just punted for lower levels of coverage. cost to meet their requirements exceeded the cost of the lower + coverage and expected loss. Cue the Fight Club recall scene.
> I would hope any federal program (if one comes about) works similarly. “We will only cover incidents if we can verify after the fact that you had these controls and mitigation measures in place prior to the attack”
Mostly the gist of my public comments. If you obtained cyber insurance under false pretenses, you not be getting federal dollars. But also, questionnaires alone are no longer sufficient (imho). Really want to prevent a repeat of FEMA. Incentives matter.