Hi All
An interesting piece within CPO Magazine, I happened upon: https://www.cpomagazine.com/cyber-security/businesses-are-finding-out-that-cyber-insurance-coverage-...
"Evidence is building that many of these cyber insurance policies might be close to worthless, as insurance companies look for any excuse possible to avoid paying out the full amount of a claim."
I wonder if the Ransomware attacks are attributing to this affect?
Regards
Caute_Cautim
Hi,
while Ransomware is certainly an issue: it may not always be a negative contributor here as some insurance companies also see it as a benefit to pay the ransom in certain cases to be able to sell even more insurances, i.e. this is not just a reason to reject claims.
The current (Jan/Feb 2020) ISC2 membership magazine also has a story on this topic just and to quote two interesting parts of it:
- positive example: getting assistance during an incident with resources otherwise not available
- negative example: insurance not paying as the attack was classified as originating from Russia and therefore the "war exclusion" rule applies
Transferring the risk to another entity brings a risk by it's own and you will need to check your insurance partner and policies in details. At the end it may still be better to spend more resources to mitigate the risk rather than simply transferring it. Overall risk mitigation is likely easier to control and audit than risk transfer.
Bye,
Wolfgang.
@WolfgangLeyThank you for your contribution, and a healthy point of view as well.
My experience, from clients is initially for the first time the organisation invokes it. It can literally save their bacon, so to speak. And the Cyber Insurance organisation provides some advice, and leverages recommendations in order to reduce the impact to them the next time around. In fact, at one presentation late last year, the insurance company showed us their statistics, the biggest one was in fact Insider Threats. Followed by social engineering attacks, related to Phishing or Spear fishing from neck of the world - New Zealand.
Taking Ransomware, which initially was a question of pay or not pay, has now morphed into a Cat and Mouse game in some circumstances - i.e. we will release information we have gathered on your organisation and make it public. Or embellished with deadly threats to encourage payment as well.
Others may have a different perspective, which i certainly welcome.
Regards
Caute_cautim
@Caute_cautim wrote:Hi All
An interesting piece within CPO Magazine, I happened upon: https://www.cpomagazine.com/cyber-security/businesses-are-finding-out-that-cyber-insurance-coverage-...
"Evidence is building that many of these cyber insurance policies might be close to worthless, as insurance companies look for any excuse possible to avoid paying out the full amount of a claim."
I wonder if the Ransomware attacks are attributing to this affect?
Regards
Caute_Cautim
When I first started in Security, there was insurance that could be bought to protect the organization against unplanned outages (heavy manufacturing). In discussions with the insurance people (actuaries), they determined that it would not be cost effective to buy the insurance but rather that we self insure. I recently had the pleasure of discussing insurance on Ransomware with them and found their opinion had not changed.
They felt the insurance companies would impose a very large "deductible", the premiums would be excessively high and unless the earth, the moon and venus were in exact alignment that the insurance company could find that fine print that allowed them not to pay.
So as they are the experts and have their finger on the pulse of the insurance industry, I would tend to agree that Cyber Insurance may not be worth the payments.
my nickel
d