What are your thoughts on cyber insurance? Should people get it? - Pulse Q&A

What are your thoughts on cyber insurance? Should people get it?

@IT Number of answers: 0

Malcolm Harkins, Chief Security and Trust Officer

, answered on 2019-04-24T21:36:59.919Z, a month ago

The cyber insurance marketplace is like the wild, wild west. I don't know of anybody who's ever gotten a payout from their cyber insurance policies. We try and equate it to homeowner's insurance, or earthquake, or business interruption, or something like that, where it's really black or white. "Did the building collapse?" "Yes." "Okay, great. We'll cover 75% of the reconstruction of a new one." But, you can’t equate them to cyber. In the cyberspace, apply a cyber policy to auto insurance. They would go, "Well, your tire pressure wasn't exactly at 32 psi, well, that's one check off the box. You actually had a little bit of a fray on the timing belt, that's another check off of the box. You had your radio on, which is distracting driving, so that's a check off of the box." And then they whittle away, and basically say, "You're completely at fault. We're not covering anything, because, guess what? We wrote the policy such that if any one of these things, or the combination of them, you were not on top of every aspect of it, it's not our fault." The question is, are they getting it because people don't understand what it's really going to do, and it's a feel-good thing? Or are they getting it because they actually believe that at some level, it provides some financial risk mitigation. But it doesn't actually mitigate risk. It only mitigates the potential for a financial loss, because of the risk.

upvotes: 1

Comments:
,

Lee Vorthman, Director of Information Security

, answered on 2019-04-25T02:41:43.417Z, a month ago

We require our 3rd parties to carry it as a condition of doing business.

upvotes: 1

Comments:
,

Douglas Ljung, Director of Information Security

, answered on 2019-04-25T15:57:31.506Z, a month ago

Many of our customers require that we have it. One company I worked for had enough cash on hand where we could justify paying for an incident out of pocket and didn't carry insurance. I suspect that even if needed, there are likely so many caveats that payment would not be made anyway.

upvotes: 0

Comments:
,

Ali Katkhada, CIO

, answered on 2019-04-27T18:11:47.072Z, 25 days ago

As a public company we require that however the big argument is coverage never enough and evaluating of intangible assets

upvotes: 0

Comments:
,

Clifton Persaud, Assistant Director of IT Audits

, answered on 2019-05-06T17:24:44.459Z, 16 days ago

Cyber insurance is a good thing to have, but could be very expensive. The network should be properly segregated when designed. Some protection to take educate your users (security awareness), not to open emails from people you don't know (hard to do depending on your business), but most importantly do not click on links in emails you don't know. A process should be in place to keep systems current (security updates and patches). Monitor users and service accounts. You can also hash the systems files and any changes you would detect with the proper monitoring tools. Security today cost a lot of money, but you have to get the appropriate skills on the job.

upvotes: 0

Comments:
,

Kumud Kalia, CIO

, answered on 2019-05-07T01:13:28.868Z, 16 days ago

Some pointers to consider: > premiums are negotiable - don’t take the first quote > how ‘perfect’ does operation of current controls need to be - is 95% ok for meeting patching targets? > will the payout (assume no more than policy limit) be sufficient to cover investigation, remediation and PR/marketing costs to recover from a breach or compromise? > how does the expected cost vs probability of compromise equate to a self-insured business case rather than annual premiums?

upvotes: 0

Comments:

Pulse Q&A

Follow Us

GET THE MOST OUT OF PULSE

What are your thoughts on cyber insurance? Should people get it? - Pulse Q&A

logo