Still need convincing that cyberinsurance (computer loss insurance, data breach insurance, whatever) is a bad idea?
Talk to National Bank of Blacksburg.
Executives had had the foresight to purchase insurance, actually a rider, against computer and electronic crime. The bank had two breaches, one in 2016, and one again the following year, for a total loss of 2.4 million dollars.
The insurer, Everest National Insurance Co., offered $50,000 as settlement.
The insurer claims that the loss was a debit card loss, even though malware was installed on a bank server via a phishing attack. ATMs and cards were used, but only a lawyer could make that kind of claim. That's why insurance companies employ lots of lawyers.
If you read the details of the article, it sounds very likely that the insurer will win and the bank will lose. I'm unsurprised: this kind of weaseling by insurance companies is exactly the type of thing I've been thinking in regard to cyberinsurance since I first heard of the idea thirty years ago.
We've mentioned insurance in a variety of other contexts here in the "community": vendors using "cheap" insurance as a come-on, vendor liability, detailed risk analysis, professional liability (we actually did that twice), insurance for chapters, and even whether we can insure ourselves against GDPR fines.
............
Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
