Insurance taking center stage in Cyber - improving and maturing it?

Before tweeting the above, I spend some days trying to succinctly put into words what I was observing and thinking would take place in Information Security in the near future.

There is little doubt in my mind that ransomware is one of the biggest threats facing organizations and governments these days - the initial vectors of compromise vary from vulnerability exploitation to phishing (maldocs or cred stealing).

Organization Cyber Insurance

What I then started thinking of was one of the best ways to deal with this threat. Yes, we can update our systems and use 2FA and be cautious of unsolicited emails, etc but I kept coming back to insurance.

But talks of cyber insurance are nothing new.

In 2003, Pual Kurts, former Homeland Security Council and National Security Council Director, commented :

“The Insurance industry has a pivotal role to play in protecting our national infrastructure, particularly by developing cyber insurance policies”

I’m also of the view that Cyber Insurance will do more for Cyber Security maturity and resilience, than some things we have concerned ourselves with over the years due to cyber insurers’ minimum security requirements for coverage. It may feel or sound like a cop out to some in infosec, but it is what it is.

Some of the rough ideas in my mind are:

• lower security maturity could mean higher insurance premiums, especially if the Org has had breaches in the past

• higher security maturity could mean lesser insurance premiums (maybe)

Just as one type of control isn’t enough, I’m of the view that cyber insurance will be a norm.

Right now, perhaps it’s talked about in hushed voices in work corridors and behind closed doors in board rooms. But I fully expect it to be an open, standard thing in infosec.

Perhaps even with third-party supplier management (“ hey, we wanna do business with you, but what are your infosec policies, processes and governance? And do you have cyber cover?”) Or maybe not :-D

cyber insurance is and should be part of every Organizations arsenal for effective risk management

Cyber Insurance is the fastest growing line of business in the insurance industry and cyber insurance premiums have grown to an estimated USD 2 billion in North America and USD 3 billion globally and there are no signs of it slowing down.

We already know of a few public instances where an Organization had to pay ransom after systems where encrypted. In a few such cases, the cyber insurance actually paid :

• University of Utah pays $457,000 to ransomware gang - cyber insurance pays part of the ransom

• Garmin allegedly paid ransom although still unclear if their cyber insurers cough up

Over and beyond Organizational cyber insurance, one area of interest has been on the personal cyber insurance aspect.

Personal Cyber Insurance

More on the home front, with more and more home appliances connected to the internet, could we see a rise in personal/home cyber insurance?

We often joke about ones kettle getting ransomware and that spreading within your home network and preventing you from opening the fridge - but such situations, as laughable as they may be, may not be so far fetched.

A survey conducted by Swiss RE provides some interesting results:

• 56% of people would buy personal cyber insurance

• 63% preferred personal cyber insurance bundled with other services

• 37% preferred stand-alone cyber insurance

Personal cyber insurance may yet to be developed (or maybe it already is?). I would be very interested in seeing how it pans out.

Maybe companies will provide “personal cyber insurance” as part of employment perks ;-p.

UPDATE : I came across an awesome, data filed report on cyber insurance claims. Worth a read.