Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Are there any Advantages of Buying Cyber Security Insurance? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Are there any Advantages of Buying Cyber Security Insurance?

I recently was reading an article about Cyber Insurance and got intrigue on the type of coverage offered. Recovering from a Cyber attack can be very expensive and cyber security insurance offers the ability to transfer some of the risks to an insurance company. Some estimates that 1 in 3 company currently have cyber insurance. Then I found this presentation [2] that identified 10 misconceptions about Cyber insurance and provided an answer about each of them. I found very interesting the #1 Objection "We outsource our IT Services" and one of the 3 answers is even if the data is outsourced, "Legal responsibility CANNOT be transferred by contract", it is the data the company has been entrusted to protect.

I started looking around and found several companies offering various type of coverage that range from:

  • Covering direct costs responding to an incident
  • Lawsuits or claims resulting from a cyber incident
  • Reputation management
  • Regulatory fines payments.

The policy cost will vary according to several factors such as the industry, the company size, past claims (if any), security in place, etc.

For example, Equifax 2017 data breach cost them an estimated 1.4 billion [3] and they had only $125 million covered by insurance. In the past, this type of breach would have probably bankrupt the business.

I tried one of the Cyber insurance website to get a basic quote for a small IT company with 1 million in liability and the annual cost is $885 per year. Here is the result:

[1] https://www.zensurance.com/cyber-liability-insurance
[2] https://www.schinnerer.com/Content/Industries/Cyber/Documents/Cyber_Webinar_-_Overcoming_Cyber_Insurance_Objections.aspx
[3] https://www.databreaches.net/equifax-reaches-1-4-billion-data-breach-settlement-in-consumer-class-action-also-agrees-to-pay-575-million-as-part-of-settlement-with-ftc-cfpb-and-states-related-to-2017-data-breach/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

446 Posts
ISC Handler
The premiums across providers vary greatly because the actuarial statistics regarding cyber events are still being tabulated. The nuances of coverage in a cyber insurance policy can make the head spin when trying to make sure all bases are covered. Although we carried cyber insurance, we were not covered for a CEO fraud loss that the company incurred. If possible, work with a broker and ask lots of questions.
Anonymous
One of the interesting things about the recent spate of ransomware attacks is the role of cyberinsurance. Some of the municipalities attacked have called on their insurers for payment, and so reduced the cost of the attacks, not just by paying the ransom. But there are indications that the attackers have targeted some municipalities precisely because they are insured and thus, they believe, are more likely to pay up. See https://www.nytimes.com/2019/08/20/us/texas-ransomware.html.
JCV

2 Posts

Sign Up for Free or Log In to start participating in the conversation!