Why haven't cyberinsurers exerted more pressure on companies to be better at security?

Originally published at: https://boingboing.net/2019/09/10/externalized-risk.html

A few years ago, cyber-insurers were making an aggressive marketing push that got the attention of at least two companies in my clients’ portfolios. I was asked to audit both companies for best practises that would bring them into compliance for coverage and act as a point of contact with the insurer. I ended up telling them that they should put those practises in place for their own sakes and that, after doing a cost-benefit analysis, the insurance was essentially a cheap certification for inclusion in their sites’ legal boilerplate but otherwise wouldn’t make much of a difference. I ended up doing the audit for one company (which already easily checked off 90% of the insurer’s requirements), and the other blew it off – neither ended up buying the cyber-insurance.


Well, my friend does security work for companies, he tells them what they need to be secure and this and that, and too many of them cheap out on it and don’t follow through or only half ass it, and then end up calling him later to fix their problem when they get hacked.

I guess because it is more nebulous than a physical locked door, they don’t understand the issue fully, and are short sighted on the costs. Just like they think their physical security is unlikely to get broken in to, they take a similar approach that it is unlikely they will get hacked.

So short sighted/not understanding the issue.

Why insurers don’t insist on clients taking proper steps, I dunno.


These breaches are like you loaned your car to someone and they brought it back wrecked, They hand you the keys and say you might want to get that looked at. They lost your data and they do nothing to fix it. The put on a pretty band aid and they’re done leaving you with the “wrecked car” of your credit and identity. In the mean time do I have to take my “free” credit monitoring concurrently or can I do them in series? I’m up to like 3 now :wink:
It still really annoys me that Equifax referred to us as “customers”

1 Like

I’m sure it’s been said elsewhere:


yes, but in this case, unlike FB or the other “free” services, we weren’t even the users. We were truly the product but we never really agreed to the arrangement, so they gathered us up, sold us off, and then let the wolves.


You are not alone in this annoyance. “Captives” would be more accurate.


Two words - hard market.

1 Like

My former employer hired a guy direct from Microsoft to boost their security; he quit within a year because they refused to play for all of the needed changes.

1 Like

Because they want to stay able to insure themselves?

1 Like

I suspect that this, along with the relatively low costs of a lot of breaches, especially ones that merely pilfer user data rather than encrypt/wipe everything, has a lot to do with it.

I’ve been told that there are some enterprises(I think big construction/civil engineering projects were the example I was given) where risk management expertise was something that insurers who underwrite those sorts of jobs commonly have; and the desired relationship is one where the insurer both provides coverage should something bad happen and provides expert advice on minimizing the odds of that outcome.

With IT there’s plenty of unrelated expertise, if you want to pay for and listen to it, so people who want to turn money into security can do it largely outside the insurance framework. Also, the bad outcomes you can least mitigate (eg. a user data leak is forever; ransomware is only scary if your backup and DR sucks) are the ones with minimal penalties; while the ones that are directly costly are the ones that practices that are a good idea in general(backups, DR plans) mitigate even if you adopt them only out of concern for disk failures and datacenter fires.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.