cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Cyberinsurance

Still need convincing that cyberinsurance (computer loss insurance, data breach insurance, whatever) is a bad idea?

 

Talk to National Bank of Blacksburg.

 

Executives had had the foresight to purchase insurance, actually a rider, against computer and electronic crime.  The bank had two breaches, one in 2016, and one again the following year, for a total loss of 2.4 million dollars.

 

The insurer, Everest National Insurance Co., offered $50,000 as settlement.

 

The insurer claims that the loss was a debit card loss, even though malware was installed on a bank server via a phishing attack.  ATMs and cards were used, but only a lawyer could make that kind of claim.  That's why insurance companies employ lots of lawyers.

 

If you read the details of the article, it sounds very likely that the insurer will win and the bank will lose.  I'm unsurprised: this kind of weaseling by insurance companies is exactly the type of thing I've been thinking in regard to cyberinsurance since I first heard of the idea thirty years ago.

 

We've mentioned insurance in a variety of other contexts here in the "community": vendors using "cheap" insurance as a come-on, vendor liability, detailed risk analysis, professional liability (we actually did that twice), insurance for chapters, and even whether we can insure ourselves against GDPR fines.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
5 Replies
Flyslinger2
Community Champion

I've had the full lifecycle of 3 different businesses.  2 in IT and one related to my hobby-a fly fishing store.  After establishing an LLC for each (U.S.A. corp entity per U.S. Tax code), I purchased a liability insurance package next.  I wouldn't dream of taking the first step without having those in place.  I also added a $5M umbrella package on my home in case a lawsuit was ever generated at my company and the lawyers tried to go after me personally.  My one IT company was sued once and I won the case. 

 

If I started a cyber consulting company I would have a policy and I would read it cover to cover to make sure the insurance company could not weasel out of their responsibility.

rslade
Influencer II

> Flyslinger2 (Contributor I) posted a new reply in Industry News on 08-01-2018

>     If I started a cyber
> consulting company I would have a policy and I would read it cover to cover to
> make sure the insurance company could not weasel out of their responsibility.

Ah, but would you *understand* it all? All the traps that they could use to weasesl
out of paying? Last time I went through my tenant's insurance in detail, there
were sections that even the adjuster didn't understand ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Patriotism is the Rohypnol of the American Public
- John Bender, http://bantha.cjb.net/john
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Flyslinger2
Community Champion

Me and my lawyer!  

 


@rslade wrote:

Ah, but would you *understand* it all? All the traps that they could use to weasesl
out of paying? Last time I went through my tenant's insurance in detail, there
were sections that even the adjuster didn't understand ...
Caute_cautim
Community Champion

Hi All

 

An update on Cyber Insurance:   Should organisation's invest in Cyber Insurance and/or Cyber Liability?

 

https://securityintelligence.com/why-your-organization-should-invest-in-cybersecurity-insurance/

 

Regards

 

Caute_cautim

 

 

rslade
Influencer II

Yet another excuse insurance companies have found to avoid paying claims: act of war.

 

Most insurance policies have standard boilerplate stating that they don't have to pay if the loss results from an act of war.  So, when Zurich American Insurance Company received a claim from client Mondelez for a NotPetya infection, Zurich American (after making an initial payment) took the position that, since experts have said NotPetya came from Russia as an attack on the Ukraine, it was an act of war, and they don't have to pay out.

 

This is all before the courts, now, and it'll be interesting to see how it plays out.  An awful lot of malware now has "state actor" involvement, so this may make a huge difference to cyberinsurance claims ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468