It appears that the topic of Cyber Insurance is making its rounds again. Going through some old e-mails, I found this thread.
Subject: Cyber Insurance
Has anyone made an investment in cyber insurance? If so, was there an incident that lead you to make the investment? Also, do you mind sharing your provider?
This has come up in recent discussions in my office, mainly because vendors are pushing it.
To answer your question: “No.”
My rationale: Data theft via malicious activity is included in disaster recovery policies because it is easy to protect against. If a cooperative utilizes industry best security practices, a base level of security technology is going to be employed. If risk scores are standardized, prevention and risk would be quantified similar to using seat belts or not driving while impaired. Until these scores are identified and standardized in the policy, information leakage and the damage it can cause is unquantifiable and undetectable.
A tornado blew over an oak tree that fell on my roof last month. My homeowners policy has very clear cut-and-dry policy on how the damage is to be assessed, quantified, detected, and how the claim is to be paid out. Cyber Insurance is not as clear-cut because the damage cannot be easily assessed.
This leads me to think that the only thing that cyber insurance will buy me is a seat at an arbitration table with high-priced lawyers.
The Lloyds of London have been the underwriters of every cyber-insurance policy I’ve seen to date. The Lloyds also insure things like:
- The legs of celebrities (David Beckham – $70M)
- Taste buds (Food critic Egon Ronay – $400,000)
- A mustache (Merv Hughes – $370,000)
- The hands of a Yo-Yo champ (Harvey Lowe – $150,000)
… and countless other strange things.
It’s interesting to note that, although these items are insured, not one has ever made a claim. The makes me wonder: are insurance companies in the business of collecting policies, or paying claims? Are these really insurance policies or are they “status artifacts” for the people that own them?
My philosophy: manage the risk by following standard security practices. A pound of prevention is worth 10 pounds of cure – insurance is neither prevention nor a cure.