Introduction
CyberSecurity Insurance. Something many companies didn’t think they would need not even 10 years ago and only with some of the earliest policies written in 2000. I think many companies didn’t think cybersecurity insurance would become a requirement this fast, and I think many industries will be surprised how much the price will continue to rise as new vectors become more prominent and data becomes more valuable to crooks. Here’s my take on why these cost increases will become more severe until the industry changes tactics on data ownership: 1) many of us use the same companies and apps to store and manage data 2) there are differing opinion on whether to pay ransoms or not and 3) work from home will take IT some time to acclimate their networks to the new dynamic. I know this is long, but I think there are some great points to how this will impact cybersecurity insurance and the cost associated with it.
Everyone Using the Same Infrastructure/Apps
I heard this one on Daniel Miessler’s podcast where he hypothesized some issues with cybersecurity insurance. With the increased used of the same or similar app and program platforms many industries and companies use, it won’t be soon where a major hack attack on a certain platform will be claimed as an “act of terrorism” or “an act of God” and therefore not covered by the insurance, leaving many companies paying out of pocket for cybersecurity analysts and recovery services. One case I can think of now is the WannaCry and NotPetya hack, where Zurich American Insurance Company refused to pay out a $100 million claim because it was claimed to be a “warlike action.” All because we are all using the same platform, and once the attack works through one major vector, it can work on similar systems.
To Pay or Not to Pay
Paying out on Ransomware is a sticky spot for many industry experts. Some believe the payouts get the data back faster, and with this vector being a continual success, why not pay out to get the data back fast as easy. Others saying paying out makes it a viable attack vector, emboldening those who use this method to continue, because its financially viable. Some countries like the US have made it illegal to pay ransomware. It’s a difficult dilemma with no clear consensus from the cybersecurity industry as to what is the best method to control this threat. Especially as a business that relies on information, and the accessibility of that information, if its locked out, they will do anything to get back on their feet and making money again.
Working from Home
Working from home has added a completely new attack vector as companies scrambled to make it possible for employees to work from home due to COVID-19. Hackers made it a priority to find ways to breach the network through this hastened connection IT groups made to allow employees to work from home. While I fully support the work from home future, companies are trying to find the best way to protect their network and insurance companies are trying to determine how to insure this new variable both in the short term and long term.
The Future
I think the future of cybersecurity insurance will require a complete overhaul in how devices are protected and how data is handled.
Here’s what I think:
The cost to insure the data companies hold will cause a re-evaluation and classification of the data companies hold, forcing them consider reducing the data they hold to reduce the cost of cybersecurity insurance.
Users will hold companies to a higher standard, reducing the data they provide to the companies, or requiring some compensation of the use of their data.
The compliance and fines related to non-compliance will increase as users, states and countries pressure companies to become better data stewards, holding them accountable when they do not monitor and safeguard users data.
“Data holding” companies will become a thing where they will be able to follow the letters of the laws around data, allowing companies to reduce or completely remove their liability and requirement for cybersecurity insurance because they don’t hold the data, they only use the data provided to them through a data holding company. These companies might charge “per record” or “per field” to access the data, that would allow a company access, while also paying the user for the data they are providing to other companies (as agreed by the user).
While some of these future ideas might not come to fruition, some, I think we will have to take seriously to help close the gap of data breaches, reduce liability and reduce the rising cost of cybersecurity insurance.
Comentários