Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Cyber Insurance. Solution Or Snake Oil?

Posted by Soulskill on from the don't-fix-it-just-insure dept.

onehitwonder writes "A recent article in The Wall Street Journal's CIO Journal argues in favor of the benefits of cyber liability insurance — policies designed to help companies cover costs they incur in the aftermath of data breaches (whether for investigation, remediation, customer notification, regulatory fines or legal settlements). Two Deloitte consultants interviewed for the article argue that cyber insurance can help companies offset the increasingly staggering costs of a data breach. (Several of the biggest data breaches in recent history, including Heartland and TJX, have cost those companies hundreds of millions of dollars. A Mizuho Investors Securities analyst estimated the total cost of the 2011 Sony data breaches at $1.25 billion.) The question is: will insurance providers really come through when companies begin filing claims on their cyber liability policies, or will they find ways out? A 2011 article from Computerworld notes that even though a growing number of companies have been purchasing cyber insurance, it's hard to find examples where one of those policies has actually covered the costs of a data breach. Moreover, the Computerworld article points out that many cyber insurance policies cover only the cost of re-creating whatever data may have been lost during the breach — not notification costs, legal costs or other related expenses."

9 of 71 comments (clear)

  1. Really? That's a question? by Jstlook · · Score: 2

    Insurance companies *always* try to find a way out. That's their job; protect their bottom line.

    If you don't get too screwed, they'll probably pay out, just because it improves their reputation enough to improve their bottom line.

    Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!

    --
    ---jstlook ---For that is the way of Elves, for they say both yes AND no, and mean every word of it. --- J.R.R.T.
  2. Re:Really? That's a question? by Rockoon · · Score: 3, Informative

    Do you want to bet that you'll get less screwed by a data intrusion than by the insurance company? Go for it!

    That is in effect the essential idea of insurance. Its a wager. Clearly it only works if more money gets taken from "losers" than gets paid to "winners."

    --
    "His name was James Damore."
  3. Negligence will be the keyword by Opportunist · · Score: 2

    When you look at the various data breeches that became public in the more recent past (especially those done as some kind of protest or out of spite, to harm a company in its goodwill) and analyze the attack vector, you cannot help but shake your head in disbelief. The vectors range from SQL injections to exploits in ancient software that should have been patched months, if not years ago. If that isn't the textbook example of negligence, what is?

    Still, I'm all FOR insurance. Because insurances are notorious for requiring their customers to minimize the chance for a reason to file a claim, and your premium is usually dependent on your risk. If you invest in security, your insurance premium would be lower, and we might FINALLY see some CEOs invest in security since now they can see that it's cheaper than paying for the insurance, since they're blind to the fact that it's cheaper than paying for the fallout.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Cybersecurity is hard by iritant · · Score: 2

    And here is a great article from researcher Rainer Bohme that explains why it's hard. It's a fairly technical paper, but one big issue is that insurance companies operate on a reserve that assumes catastrophic events are bounded, perhaps by region. That's not the case with correlated cyber-risks. This is explained in Section 3.

  5. Show us the math by Dunbal · · Score: 3, Interesting

    How do these companies arrive at hundreds of million/billion dollars worth of "damages" anyway? Is this using the MPAA/RIAA method of accounting? Do they have to shut down the entire company for a week? Seriously, did absolutely no one make a recent backup of the databases? Do they have to replace all the computer equipment? Are the IT people so expensive? Where does the figure come from?

    --
    Seven puppies were harmed during the making of this post.
  6. Ways out for the insurance companies by fox171171 · · Score: 4, Funny

    Ways out:

    - We took the money and ran, your coverage is void.
    - You failed to adequately protect your network, your coverage is void.
    - You angered nerds, you brought this on yourself, your coverage is void.

  7. Re:Rethink by murdocj · · Score: 2

    Oh, please. Both open source and proprietary software has exploits. Just who is going to pay when a company uses open source gets hacked? "The community"?

  8. Re:Really? That's a question? by graphius · · Score: 4, Insightful

    I am not a fan of insurance in general. In essence, you are betting against yourself. For the case of this article, why don't you take the money you pay in insurance premiums and invest it in securing your systems... Seems like a better bet to me.

  9. Re:Really? That's a question? by graphius · · Score: 2

    so in other words, insurance motivates you to do things you should do anyway. And for the privilege of this knowledge you get to pay them less. The other alternative is to do these things anyway.... Yes I know that, in theory, insurance can be a way to balance risk over a wider group. However, much modern insurance is a money grabbing scam. Most people are way over insured, and pay more in premiums that the realistic risk.