Now cyber insurance is nothing new - some 30-years old - however, recently it is "in fashion" and making the rounds and motivated this post.
Upon first seeing Cyber Insurance being pushed, founder Dustin Schimp said "this is going to be a great money maker for the insurance companies and the purchasers are going to learn a hard lesson that risk cannot be blindly transferred". He knew cyber insurance would not work as marketed or expected by purchasers; simply sign here to transfer your risk and [mostly] wash your hands clean - simply too good to be true and simply not a profitable business model. Of course, the industry is now seeing this correction and the future of what cyber insurance will actually cover is moving in real-time.
Ok, so cyber insurance seems iffy. Do I use it, or not? Everyone seems to learn towards it. What you should do is this - use a broker and obtain the carriers cyber insurance questionnaire then identify your companies' gaps. This will help you identify your gap..such as how many resources will be required to fill in the gap? Hopefully you are thinking about the cost of that gap and the criticality of that gap (systemic show stopper, or nuisance).
Additionally, have a lawyer review the document - they should have questions directed to the provider about the read between the lines items such as what we see now - do nation state attacks void coverage?
The main idea of insurance is to take the companies threat tolerance level, keeping within the limit, then implementing controls to lower the likelihood of exceeding cyber insurance limit.
What are the insurance companies looking for? Root Cause Analytics!
Ransomware protections, which is insurance company speak for a) do you have backups and b) are they secure or c) are they on your network so they will just be ransomware'd like everything else.
Large files actively communicated will be corrupted during ransomware encryption = corrupted files. Thus, backups are key.
MFA
VPN
Privileged Account using PAM
CIA
Detection like firewall logs...think of a smoke detector, alerting before the big flames
At the end of the day, cyber insurance (include self-insurance) is one metric in your quantification calculations that help business owners determine if the risk is appropriate.
Komentáře