Cyber Insurance - is it *that* simple (I think not)

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Lob

What could possibly go wrong?
Nov 7, 2020
161
44
It's been mentioned many times on SN, usually in the context of ransomware in local authorities, that cyber insurance has paid up to cover the actual ransom (or a large proportion of it).

The company I work for has a cyber security policy for which the conditions are strict (we must actively manage cyber risk). has a large deductible and costs a pretty penny. It's actually underwritten by a large number of companies. Having discussed it with those setting up the policy that it is there as a firm-saving insurance in case a worst case scenario that we could not prevent happens. FWIW. it's a financial institution with regulatory obligations in many jurisdictions that has a multi-billion dollar turnover annually.

Does anyone know where these (typically) state institutions are getting such insurance that serves up Bitcoin for their clients when needs must? It seems the industry will have a massive shake-up at some point because the insurance cannot just be a convenient option to do nothing else and not be prepared.

What is the experience of others in companies who have a cyber insurance in place?
 
Not quite a cyber insurance situation, but I used to work for a large multi-national bank, and I know that the deductible on our theft policy some 20 years ago was GBP10m. It was cheaper to cover the small losses from profits rather than pay the premiums.
 
Not quite a cyber insurance situation, but I used to work for a large multi-national bank, and I know that the deductible on our theft policy some 20 years ago was GBP10m. It was cheaper to cover the small losses from profits rather than pay the premiums.
That is exactly what insurance is. It is a method of transferring risk from the insured to the insuring company. The deductible is the measure of how much risk the insured is willing to bear. For example, as my salary increased, I increased the deductible on my collision insurance as I was able to shoulder more of the cost should an accident occur for which I was liable. Once my car got old enough that the premiums were more than they would pay if it were totalled, I droppped collision entirely.
 
and it seems according to this week's SN (https://www.grc.com/sn/sn-819-notes.pdf) that insurance is becoming harder and more expensive to get and less likely to pay out as a safety net for those who do not or cannot prove that adequate controls were in place at the time of the incident. Hardly a surprise since insurance is a business based on profit and not on being some kind of charity.

I am expecting fewer payouts supported by insurance in the future, especially for incidents involving ransomware/RaaS.
 
If my insurer was only going to pay if I had adequate protections in place, I would want them to provide a service that evaluated whether I was insurable. That's what my insurance company did when I applied for long-term care health insurance.
 
Insurance companies are notorious for trying to find loopholes to not meet what appeared to have been their commitments. Those "no medical life insurance" companies, for example, have outs for things like suicide, and if they judge that you didn't qualify they will simply pay back your premiums rather than pay the expected coverage those premiums were supposedly purchasing. One could argue that buying insurance for something that is fully preventable (note I didn't say easily preventable) is a certain form of negligence if it causes any apathy towards correct preventative actions. (Such as lax IT or lax user training about the dangers.)
 
think of it like car insurance, if the insurer finds your car to not be road worthy for whatever reason, they will not pay or reduce payment. I am sure such clauses are in policies.

Cyber insurance in particular is there to transfer the residual risk and not to offload the entire risk and you sit there and do nothing to reduce it.
 
............... For example, as my salary increased, I increased the deductible on my collision insurance as I was able to shoulder more of the cost should an accident occur for which I was liable. Once my car got old enough that the premiums were more than they would pay if it were totalled, I droppped collision entirely.
While most people believe auto-insurance is for casual use, my intent was only to use for a "catastrophic" situation. So I wanted to set a 10k deductible and pay as little as possible for insurance. Nope. Max they would even go was something like 2k. Also of interest, increasing the deductible made negligible difference in the price. Shop around? All doing the same thing. It became apparent that their only interest, was collecting as much as possible in the shortest amount of time. All though price collusion is supposed to be illegal, (ask the LCD display industry about that,) insurance companies have enough money in government not to have to worry about such things. Last year for example, ONE division of ONE company took in FOUR BILLION dollars in just TWO months. The only reason I was able to figure that out is because they gave a little too much info when boasting about a "generous" $600 million "give" back, supposedly 15% of what they took in for April/May. I don't think they'll be making that mistake again. Their average expenditure for claims is stupidly low BTW.
 
Last edited: