cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
emilygsandler
Newcomer I

Cyber insurance requirements are influencing security product procurement

Check out the highlights of an Infosec study conducted with the 451 Alliance, exploring  the usage of cybersecurity insurance policies as a method of risk transfer for enterprise security programs:

 

https://blog.451alliance.com/cyber-insurance-requirements-are-influencing-security-product-procureme...

12 Replies
Caute_cautim
Community Champion

@emilygsandler    An interesting report, the cyber insurance providers, would definitely influence the security product procurement process, as to what mitigating solutions would be satisfy their criteria for protecting the insured organisation.  

 

So what happens if the cyber insurance vendor of choice, actually fails to provide the level of protection required to meet the cyber insurance standards - who is liable the Cyber Insurance provider or the client?

 

This appears very biased, especially if the cyber insurance provider has a partnership or relationship with the supplier of the preferred solution(s).  

 

How can an appropriate level of professional objectivity be maintained?  Testing, auditing regularly?

 

Regards

 

Caute_Cautim

ericgeater
Community Champion

My thoughts are about private companies that don't have regulatory or legal compliance needs, and only answer to the whims of the board.  What are insurers requiring?  NGFWs?  Security awareness training?  Information security to be added to BOD meetings?  Satisfactory VA reports?

 

Questionnaires sound nice, but do they represent they represent good due diligence?  "Customer checked a box saying he had [insert your favorite control], but our findings showed [insert your favorite disagreement scenario], so we're not paying."

 

This would be an epic disaster for the customer, and it looks like poor due diligence on both parties.

-----------
A claim is as good as its veracity.
emilygsandler
Newcomer I

@ericgeater I would imagine the example you gave could be considered fraud or breach of contract if the customer claims they had XYZ conditions met but had not done so. 

emilygsandler
Newcomer I

@Caute_cautim I'm curious to hear more about what you mean by 'This appears very biased'? Do you mean that there's a conflict of interest in cyber insurance companies requiring specific third-party tools in order to grant coverage?

JoePete
Advocate I


@emilygsandler wrote:

I would imagine the example you gave could be considered fraud or breach of contract if the customer claims they had XYZ conditions met but had not done so. 


I'd say it's not a matter of "XYZ" to ensure coverage. It's more "You're to use certain letters in the alphabet." They won't say which ones or how many. While it varies by jurisdiction, insurance investigations are largely unregulated in the US. They can ask for anything, including hard-to-collect or sensitive data, like every employee's cellphone records, several months worth of network logs, etc. If you decline, it could trigger a denial based on lack of cooperation. When you do your risk management exercises, you need to account for the additional work you may have to do (collecting data, giving statements, etc.), additional legal costs (eventually attornies get involved), and the resultant delay and its impact on your cash flow.

 

If you do obtain insurance, you need to watch what happens at renewal. The policy may have covered everything in year one, but in year two, they might impose limits, raise deductibles, or simply eliminate lines of coverage (e.g., ransomware). The good news is if you shop these things around, different insurers are always looking to give a deal to get your business, but it can become a real time sink. As always, your mileage may vary .... 

Caute_cautim
Community Champion

@emilygsandler    Lets be explicit, certain insurance providers may have certain partnerships or preferred suppliers rather like stating you must use Cisco or Juniper solutions rather than Fortigate ones?

 

This would be preferential behaviour towards certain suppliers, which would be biased towards those suppliers.  In fact it has been known that certain suppliers provide discounts or support criteria in support etc.

 

For instance a well known recent example: Microsoft providing discounts to Government agencies to ensure they are preferred as good value for money etc.  To ensure they are selected etc.   This policy recently did not do the US Government much good with the recent issues arising as a result of a recent hack, which apparently is ongoing, because the supplier is having issues evicting the hackers from their systems.

 

Rather than stating having a list of certified solutions, i.e. which means they have XYZ criteria and giving the client the choice to select the appropriate supplier, which meets their budget and Non-Functional Requirements, depending on the organisations information security policies etc.

 

As long as the suppliers have the XYZ certifications and or meet certain criteria and then the client should be free to chose the appropriate solution themselves, that meets their business and budgetary objectives.

 

Regards

 

Caute_Cautim

 

 

 

 

JoePete
Advocate I


@Caute_cautim wrote:

As long as the suppliers have the XYZ certifications and or meet certain criteria and then the client should be free to chose the appropriate solution themselves, that meets their business and budgetary objectives.


This is a sensible sentiment. It's hard to speak universally about insurance. Here in the US, the parameters can vary from state to state, and then, within each of those frameworks, you can have a range of providers, each of whom can craft different policies. Especially with something like cyber insurance, it can end up being a "rider" on an existing comprehensive policy, which is akin to an addendum to a service level agreement.

 

In my experience, insurers shy away from specifics. The more open-ended or vague the criteria, the more opportunity the insurer has to investigate and delay the claim. Their position is it's your job, as the insured, to do everything right and to know what that everything is.

 

Where the rubber meets the road with insurance isn't in acquiring the coverage. It's in the processing of a claim. When looking to transfer risk, it's easy to overlook these costs, which in some cases can exceed the loss expectancy calculation itself. As a small example, you can end up paying a lawyer $500 an hour to advocate for the coverage of $50 an hour contractors who were necessary to help recover from some incident. Like every industry, you have good insurers and not-so-good ones, but you really only find out which you have after you need them.

MarkH_NJ
Newcomer I

I've experienced this kind of risk transfer.  Some leaders feel that if they spend the money on Cyber Insurance, they don't have to worry about spending money on protecting their infrastructure. Insanity to say the least.  Our jobs as "teacher" will never end. 🙂

JoePete
Advocate I


@MarkH_NJ wrote:

Some leaders feel that if they spend the money on Cyber Insurance, they don't have to worry about spending money on protecting their infrastructure.


It is a shame that insurance, which is supposed to bring some certainty when the unexpected happens, has itself become an unpredictable entity. It would be interesting to propose associations or even affiliations of companies self insuring: As long those participants shared information and helped their partners stay ahead of threats, they'd agree to somehow help with costs. A pipe dream with a few logistical hurdles, I know, but there has to be a better way.