@ericgeater I would imagine the example you gave could be considered fraud or breach of contract if the customer claims they had XYZ conditions met but had not done so. 

@Caute_cautim I'm curious to hear more about what you mean by 'This appears very biased'? Do you mean that there's a conflict of interest in cyber insurance companies requiring specific third-party tools in order to grant coverage?

---

@emilygsandler wrote:

I would imagine the example you gave could be considered fraud or breach of contract if the customer claims they had XYZ conditions met but had not done so. 

---

I'd say it's not a matter of "XYZ" to ensure coverage. It's more "You're to use certain letters in the alphabet." They won't say which ones or how many. While it varies by jurisdiction, insurance investigations are largely unregulated in the US. They can ask for anything, including hard-to-collect or sensitive data, like every employee's cellphone records, several months worth of network logs, etc. If you decline, it could trigger a denial based on lack of cooperation. When you do your risk management exercises, you need to account for the additional work you may have to do (collecting data, giving statements, etc.), additional legal costs (eventually attornies get involved), and the resultant delay and its impact on your cash flow.

If you do obtain insurance, you need to watch what happens at renewal. The policy may have covered everything in year one, but in year two, they might impose limits, raise deductibles, or simply eliminate lines of coverage (e.g., ransomware). The good news is if you shop these things around, different insurers are always looking to give a deal to get your business, but it can become a real time sink. As always, your mileage may vary .... 

@emilygsandler    Lets be explicit, certain insurance providers may have certain partnerships or preferred suppliers rather like stating you must use Cisco or Juniper solutions rather than Fortigate ones?

This would be preferential behaviour towards certain suppliers, which would be biased towards those suppliers.  In fact it has been known that certain suppliers provide discounts or support criteria in support etc.

For instance a well known recent example: Microsoft providing discounts to Government agencies to ensure they are preferred as good value for money etc.  To ensure they are selected etc.   This policy recently did not do the US Government much good with the recent issues arising as a result of a recent hack, which apparently is ongoing, because the supplier is having issues evicting the hackers from their systems.

Rather than stating having a list of certified solutions, i.e. which means they have XYZ criteria and giving the client the choice to select the appropriate supplier, which meets their budget and Non-Functional Requirements, depending on the organisations information security policies etc.

As long as the suppliers have the XYZ certifications and or meet certain criteria and then the client should be free to chose the appropriate solution themselves, that meets their business and budgetary objectives.

Regards

Caute_Cautim

---

@Caute_cautim wrote:

As long as the suppliers have the XYZ certifications and or meet certain criteria and then the client should be free to chose the appropriate solution themselves, that meets their business and budgetary objectives.

---

This is a sensible sentiment. It's hard to speak universally about insurance. Here in the US, the parameters can vary from state to state, and then, within each of those frameworks, you can have a range of providers, each of whom can craft different policies. Especially with something like cyber insurance, it can end up being a "rider" on an existing comprehensive policy, which is akin to an addendum to a service level agreement.

In my experience, insurers shy away from specifics. The more open-ended or vague the criteria, the more opportunity the insurer has to investigate and delay the claim. Their position is it's your job, as the insured, to do everything right and to know what that everything is.

Where the rubber meets the road with insurance isn't in acquiring the coverage. It's in the processing of a claim. When looking to transfer risk, it's easy to overlook these costs, which in some cases can exceed the loss expectancy calculation itself. As a small example, you can end up paying a lawyer $500 an hour to advocate for the coverage of $50 an hour contractors who were necessary to help recover from some incident. Like every industry, you have good insurers and not-so-good ones, but you really only find out which you have after you need them.

---

@MarkH_NJ wrote:

Some leaders feel that if they spend the money on Cyber Insurance, they don't have to worry about spending money on protecting their infrastructure.

---

It is a shame that insurance, which is supposed to bring some certainty when the unexpected happens, has itself become an unpredictable entity. It would be interesting to propose associations or even affiliations of companies self insuring: As long those participants shared information and helped their partners stay ahead of threats, they'd agree to somehow help with costs. A pipe dream with a few logistical hurdles, I know, but there has to be a better way.