• United States




RSA 2016: Cyber-Insurance

Feb 25, 20163 mins
Data BreachDisaster RecoverySecurity

cyber insurance
Credit: Thinkstock

When I was a kid growing up on Montreal, every now and again a door to door salesman would knock on the door. My parents would roll their eyes and chase the interlopers away. Sometimes they would be selling encyclopaedias (remember them, no? never mind), other times knives and even vacuum cleaners. But, once in a blue moon there was an insurance salesman. I would sit in the living room and listen to the conversation. It always fascinated me as a child that people would engage in this sort of business.

Years later, I get it now. Insurance makes sense. But, back then it was a curious thing to me. Now, the curious aspect has returned. As I prepare for the onslaught that is the RSA Conference next week in San Francisco I wondered if this will be the prevailing theme for the conference. Or is it just too early for that to be hitting mass adoption just yet? I guess we shall see.

When you experience a website breach you find new levels of despair at first. You feel violated and then you get over it. You clean up the mess and move on. Well, that is if you are able to move on. The curious question is, how much damage was done? Was the information of your one million plus customer base splashed across the Internet? That’s the type of damage that could possibly end a company. Enter, the cyber insurance play. This is an insurance product family that is meant to protect companies from Internet based risks.

My curiosity rises up around this subject. I wonder how they can validate that a company has taken the necessary steps to prove they were diligent in protecting their assets? I would imagine that the bar is set rather high otherwise insurance companies will be paying out at an alarming pace based on recent news headlines.

I did a search on one insurance company’s website to see what sort of forms they had. When I performed a search I came up with with a check list of the security controls they were expecting. Malware protection, password controls, usage policies, IDS systems, backups and so forth. All pretty standard fare.

The part that grabbed me was that they wanted to know the companies attack history for the last few years. If history has taught us anything it is that most firms have little visibility into how often or how they have been attacked. When the insurance company questionnaire wanted to know how quickly a company had detected an attack, between 15 minutes and and hour, I actually laughed aloud. On average it seems that companies have a good 200 days before they detect a breach.

So much for passing that part of the application.

Now, where is your company headquartered? This is going to play into the type of coverage you’re able to get. Example, Europe vs North America. No surprise there but, it needed to be said. The need to have coverage for breaches is rising with every passing day. It is getting more expensive all the time. According to a PWC survey it seems that at least 59% of respondents to their survey are incorporating cyber-insurance into their battle plans.

Just from my initial examination of the market space it seems that there is a lot of ground to cover yet. But, the need for cyber-insurance seems self evident.


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author