...but you CAN buy a cyber insurance policy!
I spent a couple of days last week talking with Insurance folks --brokers, agents and attorneys. I heard more about cyber insurance policies in two days than I've heard in the last five years. And you know what I think? As far as I can tell, underwriting cyber policies is still pretty much a jump ball! And payouts are more about legal clauses than losses because of legitimate risk.
I asked... why don't you test the networks before writing that policy? The answer? Brokers worry that if they can't write a policy within a certain period of time (two weeks?), the customer will go somewhere else for that policy.
And what about the payout? During one panel, one of the attorneys commented during a session on how he'd spend time brainstorming new language for clauses (exclusions?) that could be used in the policy.
So two questions.. and my thoughts:
First... With a 14 day marketing turnaround time, can't an underwriter do some initial testing?
Hell,
you can't get life insurance without someone sticking their finger in
your butt. So why not run a few tests to see if an insured is worthy? Worried about time? Time is always a concern, but even without relying on the 'report card' cyber index systems, a real time perspective on what's going on inside the network can be gleaned without ever looking inside the network. At the same time, car insurance companies now offer plug-ins for the on-board computer. Why not try the same thing with computers? A week on a span port at an egress point could offer an enormous amount of information about what's happening on that network.. with that information, write the policy! Use the test data to both underwrite, and set a goal-drive process with the company --if they fix what was found during the physical, their premiums drop! It works this way in car insurance right? Safe drivers get better rates than those who speed? Longer track records of safe driving = lower premiums? So why not cyber?
Second... Are lawyers the best way to ensure lowered risk when writing one of these?
My thoughts: I do not presume to know about the insurance industry, but have had some experience as both an agent and broker (life, health, P&C).. and although that was many years ago, my experience says this.. there's a balancing act between profit, and the need to pay out a claim. Should lawyers be involved? Probably. Should they be brainstorming new clauses? Probably again, but they do so with the understanding that most insureds (those people who buy those policies) will not catch the clause, will purchase the policy unknowingly exposing themselves to risk, and will expect but not receive payout on everything expected.. and if they do? Heck, don't buy the policy. The market will speak for itself!
Bottom line.. there are a million ways to quickly test for risk. Just ask, and we'll either help, or point you in the right direction! Triage analysis is easy. You can pull logs, attach yourself to the network, or use passive external means to listen for activity that might tip you off to the security posture of the network --all with plenty of time to keep the competitive ball in your court.