Tag Archives: cyber insurance

An Underwriters Guide to Cyber Risk: Managing 3rd Party Risk – Part 3

Posted on by
Reply

Due to the length of this detailed topic, it will be broken into multiple parts. Previous portions here:

An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 1
An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 2

Technical Approvals in Cybersecurity: A Missing Pillar of Risk Management

In traditional industries, technical approval processes are a vital part of ensuring safety and reliability. For example, companies often pay to have their devices tested and approved by organizations like UL, which rigorously test products to ensure safety and reliability. Safety-critical devices—such as fire alarms, fire pumps, and safety doors—require approval before being used by insured parties, giving insurers the confidence that these devices will perform when needed.

Cybersecurity, however, lacks a similar robust system of technical approvals. Without an established process, standards in cybersecurity are often vague and difficult to enforce. For instance, many standards simply state that an organization must have a “firewall” or use “industry-standard encryption.” These requirements are difficult to enforce because they are vague—what exactly qualifies as an acceptable firewall, and who verifies it? There are many products that could meet these requirements on paper, but without an approval process, there is no consistent or provable standard of quality.

Technical approvals are ultimately an absolutely necessary step to establishing universally high standards. This is what will, eventually, end the problem of high levels of third party risk forever. It is an unavoidable part of standardizing risk management in technology and reign in losses. It will, unfortunately, be difficult to make great progress in cyber security until such time as a robust system of independent testing and approval is established. This will create the “ecosystem of trust” that is necessary to enforce security.

A Well-Established and Necessary Process
It is unusual that cybersecurity proceeds without technical approval, but this reflects an outdated mindset in IT, where buyers assume all risk without warranties or guarantees. Technical approval is a well-established process in many industries, providing independent verification that a product meets specific standards and ensuring accountability. It is no longer the 1980’s, and software and IT products are no longer specialty products or experimental, but this mentality still persists.

Continue reading

Just How Bad Are We Doing With Cyber Security? Lets look at the past week…

Posted on by
Reply

So just how bad is ransomware and cyber security in general? To get an impression, lets look at the past week. Just over the past 7 days, there have been over a dozen major ransomware attacks, though a few have not been well reported in the news media. The fact is, we have fallen for a kind of creeping normality. It’s not normal and it should not be considered a routine thing to see this happen.

Starbucks Impacted By Cyber Attack
Stop & Shop Hit By Cyber Incident – May Result In Bare Shelves
Supply Chain Management Vendor Blue Yonder Succumbs to Ransomware
The City of Odessa, TX Experiences a Cyber Incident
Weeks Later, Problems Persist At Hannaford Supermarkets
Wirral University Teaching Hospital Experiences Major Cyber Incident
Retailers Struggle After Attack on Supply Chain Provider Blue Yonder
RRCA Accounts Management Falls Victim to Play Ransomware Attack
Aspen Healthcare Services Announces Data Breach
Zyxel Firewalls Targeted in Recent Ransomware Attacks
Fintech Giant Finastra Investigates Data Breach

Continue reading

Cyber Insurance Applications Revealed

Posted on by
Reply

The moral failing of insurance that pays ransom regularly, makes no attempt not to, affirmatively disengages leaders and funds terrorism should be obvious, but many argue with me, stating that insurers are doing the best they can, have incomplete data, or that they are improving.

Unfortunately, they’re not. There have been a few small measures taken, mostly just in terms of wording changes. Not a dime has been invested in enforcement or compliance management.

To show how negligent these insurance companies have been, it’s important to take a look at the applications they have for cyber insurance. These applications represent all that these companies have, in terms of policy controls. It’s abundantly clear that no adult with any idea how any of this works wrote these. There is never any other enforcement. Even large clients do not receive independent assessments or audits. These “requirements” are not generally enforceable, do not create a call to action and, just plain won’t ever work. Money will continue to be lost until even the most minimal efforts to do otherwise are made.

Cyber insurance is considered a loss center (for some reason) and for this reason it gets zero investment and the underwriters who end up on this line are typically the lowest achievers. That’s truly the opposite of what is needed here.

These applications seem to be current, although some have not been updated in years. I do not think it is at all unreasonable to say that those who were responsible for writing the loss controls, for an insurance that paid extortion, to foreign hostile parties, should face some kind of criminal charges. This is not normal. This is not okay. It should not be normalized to have such clueless people, when professionals are avaliable.

Check out this PDF to get an idea of just how bad this situation is.

BREAKDOWN OF CYBER INSURANCE APPLICATIONS

HSB Total Cyber Insurance Application
AIG’S CYBER UNDERWRITING APPLICATION
Travelers CyberRisk Applications and Forms
Chubb Cyber And Privacy Insurance
Beazley Cyber Application
The Hartford CyberChoice Premier Application
FailSafe Cyber / Information Risk Supplement Application

How To Underwrite Cyber Insurance Properly

Posted on by
Reply

Because the artificial risk of cyber-attacks Is So controllable, Cyber Insurance can be a reliable cash cow, but it we must rethink what cyber risk is and what role cyber insurance plays. Doing so unlocks the door to billions of dollars in potential profits. Currently, nobody in the entire insurance sector knows how to do this and nobody does it properly.

The term for what we are living through is moral crisis.

Last year, the world lost hundreds of billions of dollars to cyber attacks and trillions were lost to the total economic impact of these attacks.  The biggest problem is ransomware, but business email compromise, leading to fund transfer fraud and other types of account interception and social engineering fraud are also costing the economy billions.  Every week, we hear about more police forces, hospitals, schools and critical institutions being attacked.  Ransom is frequently paid.  Lives have even been lost.  It’s no longer possible to rely on your doctor, lawyer, police force or fire department to be there for you and not leak your private information.

And then we have cyber insurance, which keeps paying ransom and racking up losses, insisting that “cyber is just inherently high loss” or “cyber incidents are like earthquakes: unpredictable and unstoppable.”  We see top ranking executives, even the likes of Warren Buffet saying that it is expected that cyber insurance will lose money.  It will because cyber risks are just big risks and we don’t know how to control them.  Also, we don’t have enough data, and perhaps in a few years we will be able to figure out how to price it.

As an expert in cyber security, ransomware especially, with an education in cyber security and over 20 years of experience, I cannot stress this enough: THIS IS INSANE!

Cybercrimes are just that: crimes.  Like all crimes, they are human created and can be stopped. Cyber security is not some oddball unfigured-out kind of thing.  It’s just bad guys breaking into our systems because we do not institute strong enough controls.  The idea that cyber criminals are so much smarter than our best engineers is absurd.  It’s the year 2024 and the US has the best technology in the world.  None of this needs to happen.  We could shut this down in a day, if there were proper experts involved.

There has been a massive misunderstanding of the nature of cyber risk by the insurance sector, and in doing so we have entrenches a monster which is sapping hundreds of billions of dollars out of the legitimate economy and is funding terrorism.  The history of cyber insurance is a comedy of errors.  There’s a reason no legitimate cyber risk experts should not have been consulted from day one, but there was a belief that cyber was simply a shiny object that could be monetized to appeal to the digital age. Insurers have been trying to sell cyber insurance without investing a dime in understanding it. They’ve simply broken something they don’t understand and now consider it a lost cause. This is absurd.

The truth is simple: If not for the fact that cyber insurance has come along and decided to encourage bad behavior, while funding crime, we would not have the ransomware problem we do. Our hospitals would be safe. Our schools would be safe. Our emergency services would not be targeted. The problem cannot currently be solved, because insurance companies stubbornly insist that they don’t want to, but are fine paying out ransoms.

Continue reading