Risk transference via Cyber Insurance - Be careful
It looks like one of the major options that we heard touted in the CBK may not be all that advantageous. I don't think it will improve as more data is gather regarding cyber incidents. It will be very hard to predict where the next issue will come from.
> Flyslinger2 (Contributor II) posted a new topic in Industry News on 12-04-2018 09:51 AM in the (ISC)Â² Community :
> It looks like one of the major options that we heard touted in the CBK may > not be all that advantageous. I don't think it will improve as more data > is gather regarding cyber incidents. It will be very hard to predict where > the next issue will come from.
I first heard about computer/cyber insurance about three decades ago. I thought it was a highly questionable (read "bad") idea then, and I haven't seen any improvement since.
You've heard the saying about if you know the difference between good advice and bad advice then you don't need any advice? Well, pretty much the same with cyber insurance. People seem to think they can buy cyber insurance instead of doing risk assessments. If you don't know the risks, you *definitely* don't know how much benefit you are getting out of insurance in regard to the costs you are paying.
From our experience in little New Zealand; many of the 95% Small to Medium Enterprises, regularly use cyber insurance as a means of mitigating the initial shock horror to cover the costs. But then the the major cyber insurance providers then hit them subsequently with ISO 27001 and audits to compensate with higher premiums, if they do not comply to requests.
There is a notion going around about placing liability on vendors as well - not sure how far that is going to go at the present time.