Still need convincing that cyberinsurance (computer loss insurance, data breach insurance, whatever) is a bad idea?
Talk to National Bank of Blacksburg.
Executives had had the foresight to purchase insurance, actually a rider, against computer and electronic crime. The bank had two breaches, one in 2016, and one again the following year, for a total loss of 2.4 million dollars.
The insurer, Everest National Insurance Co., offered $50,000 as settlement.
The insurer claims that the loss was a debit card loss, even though malware was installed on a bank server via a phishing attack. ATMs and cards were used, but only a lawyer could make that kind of claim. That's why insurance companies employ lots of lawyers.
If you read the details of the article, it sounds very likely that the insurer will win and the bank will lose. I'm unsurprised: this kind of weaseling by insurance companies is exactly the type of thing I've been thinking in regard to cyberinsurance since I first heard of the idea thirty years ago.
We've mentioned insurance in a variety of other contexts here in the "community": vendors using "cheap" insurance as a come-on, vendor liability, detailed risk analysis, professional liability (we actually did that twice), insurance for chapters, and even whether we can insure ourselves against GDPR fines.
I've had the full lifecycle of 3 different businesses. 2 in IT and one related to my hobby-a fly fishing store. After establishing an LLC for each (U.S.A. corp entity per U.S. Tax code), I purchased a liability insurance package next. I wouldn't dream of taking the first step without having those in place. I also added a $5M umbrella package on my home in case a lawsuit was ever generated at my company and the lawyers tried to go after me personally. My one IT company was sued once and I won the case.
If I started a cyber consulting company I would have a policy and I would read it cover to cover to make sure the insurance company could not weasel out of their responsibility.
Me and my lawyer!
Ah, but would you *understand* it all? All the traps that they could use to weasesl
out of paying? Last time I went through my tenant's insurance in detail, there
were sections that even the adjuster didn't understand ...
An update on Cyber Insurance: Should organisation's invest in Cyber Insurance and/or Cyber Liability?
Yet another excuse insurance companies have found to avoid paying claims: act of war.
Most insurance policies have standard boilerplate stating that they don't have to pay if the loss results from an act of war. So, when Zurich American Insurance Company received a claim from client Mondelez for a NotPetya infection, Zurich American (after making an initial payment) took the position that, since experts have said NotPetya came from Russia as an attack on the Ukraine, it was an act of war, and they don't have to pay out.
This is all before the courts, now, and it'll be interesting to see how it plays out. An awful lot of malware now has "state actor" involvement, so this may make a huge difference to cyberinsurance claims ...