I'm really not sure where to put this. (What "board"/topic to file it under.) I feel it's important for security people to note for their careers. I also wish to complain that ISC2 should be pushing this idea. I wonder if it should be a certification exam question, like "Should you buy cyber insurance?
A. No.
B. Heck no. (Remember the dreaded "community" pr0n filter.)
C. No, no, no!
D. What do you think I am, crazy?"
I've received the latest notice of an ISC2 Webinar. It's for tomorrow. I'm now used to ignoring them, since most are pretty useless, but this one was labelled, "Cyber Insurance: Nice to Have, or Have to Have."
As far as I can tell, that's sort of like asking, "Cancer: Nice to Have, or Have to Have?"
OK, yes, we all know that "insurance" is usually the answer to an exam question that asks us to give an example of risk transfer. That's the theory. In reality, cyber insurance was a really, really bad idea 30 years ago when I first heard of it, and it's still a really, really bad idea. Unless you know more (a lot more) about risk analysis (and your own risk posture) than the insurance company, AND also a lot more about legal loopholes in contracts, you will likely find yourself, when you most need the insurance, up a creek without so much as a teaspoon.
The points you make are valid BUT this is an area, like car insurance, where it needs to be mandated and regulated by a competent government authority. Why? A real insurance program that is structured to force cost in of risk based on a company's security posture, and that like car insurance is mandated, and that the state enforces quality standards on, will force managers to think about risk in realistic terms since it is in the insurance companies interest to keep costs down by making those who transfer more risk to them pay a higher price for bad practice. I know the libertarian fantasy argument that the market will take care of everything. Well it has not worked and while the market sorts things out the consumers get toasted. There are more breaches costing the consumer lots of money and the CEOs get paid handsomely and assume no personal risk, the company runs the risk of getting sued and fined and going under but that does not solve the consumer's loss. This is an outstanding article by the renowned Bruce Schneier on this relevant and important topic SEE https://www.schneier.com/blog/archives/2019/09/on_cybersecurit.html and here is a key quote from Schneier's Blog "The private governance role of cyber insurance is limited by market dynamics" and that is why I say emphatically that our legislators need to look at Cybersecurity and all of IT and regulate them like all other mature industries involving high risk such as ground and air transportation are regulated. Safety regulations have proven to vastly reduce fatalities. Ralph Nader and his crusade made automobiles an order of magnitude safer. I have insured myself against identity theft for years because I saw how a lack of understanding about IT from the "senior executives" caused my information to be lost by OTHER organizations that I had to deal with and that I had no control over on numerous occasions. The US Government refuses to tighten up on IT like it does on all other industries. I want to see industries have to buy insurance and to pay up front for poor security practices just like all other businesses have to pay higher insurance bills when the way they operate incurs more risk. Senior executives can understand that if you operate poorly you just bought you and the company a big insurance bill every month. The senior leaders will never be able to grasp theoretical risk models, They only will grasp cash coming out of their hide and their personal criminal and personal financial liability.
@rslade wrote:I'm really not sure where to put this. (What "board"/topic to file it under.) I feel it's important for security people to note for their careers. I also wish to complain that ISC2 should be pushing this idea. I wonder if it should be a certification exam question, like "Should you buy cyber insurance?
A. No.
B. Heck no. (Remember the dreaded "community" pr0n filter.)
C. No, no, no!
D. What do you think I am, crazy?"
...
How very timely!
Today's SANS NewsBites
Vol. 21 Num. 080 (not yet online)
has a relevant article:
=-=-=
"AIG Says Policies Do Not Cover Criminal Acts, Asks Court to Dismiss Lawsuit
(October 8, 2019)
AIG is asking a US federal court in New York to dismiss a lawsuit brought by a technology company seeking reimbursement for losses under an AIG cyber insurance policy. The company, SS&C Technologies, lost nearly $6 million when employees were tricked into making fraudulent funds transfers. AIG maintains that its cyber insurance policies do not cover criminal acts."
=-=-=
Alan Paller commented: "The reason cyber insurance doesn’t pay in most cases and is written, as John Pescatore points out, to avoid paying, is that cyber insurance policies cannot be sold to reinsurers. ..."
The actual news article is at
https://www.cyberscoop.com/aig-cyber-insurance-lawsuit-bec/
I think Grandpa Rob has the right set of answers on the quiz.
Craig
The fact that insurance companies selling cyber insurance can get away with tricks like this to escape paying out makes my point that we need government control and intervention in the cyber insurance market so that cyber insurance legislation and regulation has well written and binding rules that would prohibit AIG from even being allowed to claim say any cyber insurance policy "Do Not Cover Criminal Acts" unless they are willfully perpetrated by the policy holder.
This is yet again another failure of the our legislators when it comes to getting laws and law enforcement fully up to speed and into all aspects of information technology. This article, written nearly four years ago, lays out the considerations and need to correct the situation. Yet still little has been done except the implementation of the GDPR (and even that has problems because it was not well thought out):
Bilt, C. (2015, October 27). What is the Future of Cybersecurity Governance? World Economic Forum, Retrieved from: https://www.weforum.org/agenda/2015/10/what-is-the-future-of-cyber-governance/
Given the information and links contained - cyber insurance is a falsehood, a stop gap to potentially provide a breathing space for an organisation. Now I see cyber insurance being offered for IoT as well - this is akin to the story of a little boy, putting his finger into the wall of the dam in the dyke attempting to prevent the flow of water. Or King Canute attempting to command the sea to turn back. Then if you look at the law, and their interpretation of cyber security, damage and if the source of the damage emanated from overseas, it is not the local ISPs issue, but the country from where the source of the attack occurred. But if the IP address is false, then what hope do they have in solving and coming to a mutual agreement?
It the lawyers interpretation of the Internet, what chance do we have?
It appears many are "blinded by the light" and will grasp at straws to save their organisations, if they did their job correctly, they may have reduced the level of impact and risk to their organisations, with appropriate investment. However, this alone does not guarantee no damage or impact.
Possibly the ex Nuclear Bomb Bunker is a good bargain?
Regards
Caute_cautim