I race cars for fun and sport and found out the hard way not long ago that if I wanted to increase my life insurance I was going to have to jump through numerous hoops and pay enormous premiums for a minimal increase in my existing coverage. I was thinking about this scenario compared to ‘cyber insurance’ and, wow, what a difference.
Knowing what I know, there appear to be minimal barriers to entry for cyber insurance coverage. It’s been that way since I first started hearing about it around 14 years ago. The premiums I’ve seen and heard of aren’t outrageous either. Sure, there’s an application process and perhaps another questionnaire or two. Maybe – just maybe – there’ll be a request for more information such as recent vulnerability scan reports or perhaps a higher level audit that has to be performed.
Yet, unlike car racing where the risks are known (albeit they’re much lower than the old days of racing given our safety equipment requirements, smarter rules, etc., yet my life insurance premiums are based on the mindset of the past, but I digress…), I’m confident that the true information security posture of any given organization that’s being underwritten by cyber insurance has yet to be discovered.
You see, it’s like most audits in the name of compliance: everything looks great on the surface. Ditto for those SOC 2 data center audits that everyone is proud to share.
Security policies in place? Check.
User training program (yearly email reminder and a poster in the breakroom) taking place? Check.
Passwords required? Check.
Anti-malware software in use? Check.
You’ve seen these.
Getting back to reality, I’m confident that not enough of the right questions are being asked and, more specifically, not enough technical security testing is being performed to reveal the true security posture of those being approved for cyber insurance coverage.
I was discussing this topic with a colleague recently and we came to the conclusion that there are two likely scenarios for these organizations being underwritten:
Low-hanging fruit security flaws are everywhere and it’s virtually guaranteed that they can be found on any given network at any given time. Weak and blank passwords, no laptop encryption, no testing being performed on critical Web applications, under-secured wireless networks, PII scattered across numerous unprotected network shares, physical security controls open to the public, hundreds of missing third-party software patches on every computer, no proactive security audit logging and monitoring…You name it, it’s there. Yet we continue on looking for that magic silver bullet to protect our information in the form of next-generation firewalls, DLP, cloud blah-blah-blah or whatever technology is being pushed on the industry at the moment.
I recently attended a cyber insurance event in Atlanta, and in talking to the insurance salesman, consultants, and others I met, everyone seemed to be on the same page: no one really knows the true security posture yet the cyber insurance policies continue to be underwritten. I don’t know all the ins and outs of the cyber insurance industry but I’ve heard enough stories and I’ve seen enough security flaws that get overlooked to be confident in saying the cart’s before the horse on this one. I suspect it won’t last too long as the low-hanging fruit continues to rear its ugly head in both the breaches we know about and, most certainly, the ones we don’t.
Don’t get me wrong. Cyber insurance is great for a final fallback plan after you’ve done everything else – the proven basics that have been around for years and even decades. You’re likely already doing some remarkable things with information security. Most of what you need to know about – and do with – security is already present in your environment. It could be that you find out that you don’t need to buy anything or implement anything new to get to where you need to be – perhaps just a few tweaks here and there. Just don’t use cyber insurance as an excuse for poor security decision-making as it will certainly come back to bite when you’re least expecting it.