In an attempt to quantify stupendous risk, cyberinsurers ratchet up premiums, deploy gimmicks

Originally published at:


Okay, so your 1% figure seems astronomical to me, but imagine it’s 0.01%. The number could still be unpayable.

In the current capitalist climate I’m not even sure why people buy this insurance. The people who make the decisions for the insurance companies have already cashed their bonus checks for getting your money, it’s no skin of their backs in the insurer goes backrupt when it’s time to pay.


A good strategy might be to choose an insurance company that isn’t bankrupt.

They’re perfectly solvent until someone makes a big claim.

1 Like

You’ve heard of ‘too big to fail’? Well, this is ‘Too big/careless to insure.’

Insurance companies have insurance bought from reinsurance companies.
I’d like to know what their policy is on this.

Insurance always excludes catastrophe: war, tsunami, aliens, whatever, for exactly this reason. If they didn’t, there would be no insurance companies at all, which might sound pretty good until your house catches fire.

They tried to exclude the WTC for the same reason, until politics forced them to make an exception. Normally, an act of terrorism or war is an uninsurable risk. This is also why you can only buy flood insurance from the Federal government. No company could pay for a thousand houses at once, but a Democratic congress can.

Not true where I live. I can buy insurance against flood (and other natural desasters) from a private insurance company, the rates are steep though.

I suspect that the services of good old team ‘tort reform!’ may be called upon. That’s the dangerous thing about having people with substantial resources staring down nigh-infinite potential costs. Even extremely arduous and expensive regulatory capture projects become a very sound investment compared to the alternatives.

With the exception of insurance covering direct expenses(downtime from ransomware and wipers, that sort of thing), where the cost is directly imposed by the failure most of the risk is of the ‘and someone might actually punish you’ flavor; which can be mitigated by changing the rules.

1 Like

They have policy limits too. In the huge example claim, probably for a single event, the insurance company will have a limit. It might be $10 Million, but it’ll still be a limit. If it was $100 Million, you can bet they bought reinsurance for a good part of that, maybe for the entire loss between $10M and $100M. Whomever they bought it from, they in turn bought more reinsurance from someone else. That entire exposure is split up into a huge blanket of players each with a very specific exposure amount at a very specific location in the loss. The higher up, and hence less likely to be used, all cost less too.

So, a $1 Billion dollar loss to the breached company isn’t going to put a good insurance company out of business. They’ll have well defined exposure. The actual company on the other hand will still be on the hook for the part above the policy limit.

The flood exposure has more to do with risk distribution. If every house everywhere could flood, then everyone would buy flood insurance. If when a flood came, it only hit a small percentage of those, the insurance company would be fine. That’s not how floods work though. We know what areas are likely to flood and what are not. Only the people in the likely areas buy insurance. So, right away, the risk pool is skewed, it only contains high risk and not low risk people. Next, the actual flood event doesn’t hit a small percentage of locations. It hits them all at once, for a concentrated catastrophic loss.

They will not sell it to everyone though. They’ll make sure to balance out there exposure. Some locations in one area, some in another. Once they have enough exposure in one concentrated area, they’ll stop selling more in that area. You see this with hurricane coverage already. An insurer will get to concentrated in an area and not renew a huge chunk of policies one year to redistribute their risk. Forces those customers to move to another carrier.

There is still a real risk hiding in the cyber coverage though that can hit the insurer. If the thing that fails isn’t “just some company”, but is instead “some hosting provider” and it impacts a bunch of customers all at one time. For instance, if Amazon Web Services suffers a loss. Instead of just 1 event with 1 limit and 1 exposure. If the loss impacts all of the Amazon’s customers too. That could be hundreds of events, 1 for each customer, with hundreds of individual limits and exposures. So, just like the flood example, good insurance companies keep track of where their policy holders infrastructure is located. If they get too big a concentration is one location, they’ll have to rebalance the risk pool. Bad insurance companies don’t worry about this, and they go bankrupt after the event from all the related claims.

1 Like

And at the top of it all is my Flybinite Reinsurance Reinsurance Reinsurance Reinsurance Co. :grin:

It’s probably some guy in a Lloyds of London syndicate using his house as the reserve collateral. :sunglasses:

It’s all just gambling, with better statistics than playing the stock market.

During last big financial crash a lot of insurers went bankrupt, including some very large ones. None of the people running them went to prison for fraud or anything. I’m just saying that in the event of an actual tens-of-billions of dollars decision against someone like Facebook, it’s very unclear whether they’d actually get the insurance money rather than just causing a cascade of bankruptcies among insurers and re-insurers.

1 Like

Someone should sanction these corrupt oligarchs.

In 2013 or 2015 (I’m sure it wasn’t 2014 for some reason) there was this article listing all the Icelandic bankers who had gone to prison in connection with the financial collapse. It had what the date and the length of their sentence, so I was able to put together a list of how many were in prison. It was 15, if I recall correctly. Iceland has an incarceration rate of 45 per 100,000 and a little over 300,000 so it worked out that 10% of the people in their prisons were bankers in prison in connection with that collapse.

As far as I could tell in the rest of the developed world that number was 0% (even if in a few places that was due to rounding down).

If I were running for president in America in 2020, that would be my platform. To make sure that 10% of people in American prisons were there for financial crimes. I think I’d win.


Well, I’ve worked at companies that are under regular heavy security audits (Fed, credit card, and from our larger customers), and from what I’ve seen, it’s just like what Dilbert said about ISO9000 (or what ever), it’s not about how good your processes are, but if you follow them. Theater, mostly. Perhaps someday it will move beyond that, but most of it is far too shallow.

This topic was automatically closed after 5 days. New replies are no longer allowed.