"For cyber, it's a little bit more vague"
No kidding. I suppose it doesn't help when you read about how a malware nasty cost hundreds of billions to the industry. Where do they pull those numbers from ?
Okay, yeah, I've got the same idea.
EU companies aren't taking out insurance against attacks on online assets because the companies selling coverage aren't organised enough – while Brits are more likely to pay off ransomware crooks than others. Insurance that pays out if your company gets hit by an online attack is a tricky subject. While it is an obvious …
"Is Mankind a slow learner and easy retarded target for systemic abuse in endemic mis-use?"
Ask the advertising industry. Or the political party of your choice. Or the religion of your choice. Or any other organization that exists to make money off the GreatUnwashed.
Wait... was that a comment from amanfromMars that actually made sense? Congrats, a new first! .... Anonymous Coward
Hmmmm? Does that as a new first identify you as a slow learner, AC, for no nonsense is freely shared here on El Reg for commentary and reportage since ages ago now. And that holds out the possibility, and therefore very real probability, that one might easily become considerably smarter in the future too whenever questions are answered for problems to be solved and/or effectively quarantined and practically ignored/virtually eradicated.
And it does makes one wonder why all those chattering political pygmies avoid answering simple questions with ignorant and arrogant evasions whenever such instantly highlights their lack of intelligence for leading in future spaces ........ although that does sort of bring us all back with a undeniably positive, viable truthful answer to the earlier question ..... Is Mankind a slow learner and easy retarded target for systemic abuse in endemic mis-use?
If the truth of the worlds around you are held in secrets unknown to you, are you serially abused and misused in support of what is generally unknown and invariably classified Top Secret/Sensitive Compartment Information. Be they accurately described as perverse and corrupt hidden agendas which almightily benefit just a chosen few?
We have been kicked off the council of wise men (assuming we were on it)? Now the UK is out. ....... Avatar of They
A Type Dominic Cummings would venture out and freelancing is as a failsafe bet, surely?!.
Courtesy of Secret IntelAIgent Services is available for Truthful Use should one be asked/tasked.
What say you to all of that, D/C/M ? Too Good to be True? Oh please, you cannot be serious. Doubt Harbours Failures and Defeats which Both Hinder and Halt Progress with Destructive and Disruptive ACTivities in Persistent Advanced Cyber Threatened Environments.
Does I Think therefore I am logically morph for field testing further along that road into IThink therefore We are. Such there easily creates the most friendly and intimate of couplings and episodes. :-) I suppose that is why it is so popular and even soaring deeper into the quite addictively attractive .
How would one find that? Hellish or Heavenly? A Fab AI Place or a Toxic Digital Dump?
Obviously the trick is for the insurance company to be certain that the security of their clients meets some minimum standard where that minimum itself is constantly rising. The correct business model is for insurance companies themselves to provide constant security auditing services (and solutions) to their clients. But that would require doing real work rather than just collecting premiums.
In reality cyber breach policies range from cheap "fire and forget" policies with low and limited pay outs to strong coverage policies that require stringently specified security controls to be in place, so all options are available. Just don't expect a cheap lax or narrowly defined policy to be good protection - you get what you pay (and make the effort) for.
The real big problem is that data breaches are far from uniform, or even readily categorisable, as there are so many variables involved. Consequently both underwriting and complying with the doctrine of Uberrimae fidei (ultimate good faith) required of the insured to validate a policy are hard nuts to crack. I once consulted with a highly innovative company that was creating new business services almost on a monthly basis, and they found that the continuous cost of keeping an insurer informed under Uberrimae fidei was greater than the potential cover of an adequate policy could justify.
"The correct business model is for insurance companies themselves to provide constant security auditing services (and solutions) to their clients."
How do you then counter the money grubbing side of insurance where they'd force you to upgrade your solutions package to pass the audits? I'm not a "free market fixes everything" person and have no doubt the top bods would gladly sacrifice long term stability for short term profits and rapacious bonuses
Another thing that's almost certainly not covered is the cost associated with regulatory breaches (e.g. of the GDPR) where no data leakage or loss has occurred. Unfortunate because clause II(f) of the controller to controller standard contractual clauses (set 2) requires of the data importer (the party receiving the data) "At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage)."
Clause III states "Liability and third party rights
(a) Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses [...]
(b) The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment.[...]"
which encompasses any breach of the regulation, whether a "security incident" or not, and there are multifarious ways to breach the regulation without leaking or losing anything. Note the reference to "third party rights".
As the UK is now a Third Country (unless by slim chance that has been held over for the next 10 months or so) this will apply immediately to any UK business receiving relevant personal data from the EU as a data controller (i.e. for its own purposes). Even if we've currently been granted a stay of Third Country status, is will apply immediately we eventually become one.
"[...] any UK business receiving relevant personal data from the EU as a data controller (i.e. for its own purposes)"
I should have said "receiving relevant personal data as a data controller from an EU data controller" as this doesn't apply to personal data collected directly from a data subject in the EU.
...but I really wish these people would stop using "cyber" as a noun. Security types are also guilty of this. "We need to upskill to meet the threat in cyber." "Cyber is an evolving arena." "Something something cyber, something something blockchain, something something destiny." I guess they don't think "IT" sounds cool or scary enough.
I started out working in "Information Security", through many years and many rounds of buzzword bingo, and marketing fuckwittery I have given up and will call my job and my profession whatever it takes to be listened to. If I need to call myself the "Cyber Security Digital Cloud Architech Blockchainologist" to get to talk to the PHB in charge then I will.
But deep down, I'll always be an "Information Security" man because my remit still covers Yale locks and paper. Even if noone will talk about anything unless it's got fucking 'digital' in front of it.
What I've seen tbh is that most companies pay their techies a pretty reasonable wage. The problem is that they actually need 15 techies on that wage not the 10 who are struggling by doing extra hours for the hell of it.
If they paid more they'd get more applicants for those jobs but there still wouldn't be enough people.
You will be aware that Danes have a habit of turning up and waiting for you to pay their geld so they will go away. Have you considered taking advantage of an insurance policy? For a simple monthly payment we will support* you in the unlikely event of a Danish occupation.
* Terms apply. Requires maintenance of strong defences and a standing army or trained militia
There is very little difference between these two as far as assesing the odds of paying out to customers. Both are in the same business of paying out as little as possible. One is upfront with the odds the other hides behind a web of b/s with which to cloud the odds offered.
Insurance is all about making a profit. Insurers do the statistics and calculate the costs of damage and how many people will be affected. If the total annual cost is likely to be 50 million a year and they think that they can sell a million policies then the average cost of a policy will be about 800 quid.
But remember to read the small print at the back of the policy that states on the front page that you have a million quid complete coverage. The back page will make it clear that the policy does not cover related costs, it will say things like it only covers the cost of replacing the computers damaged by the malware, provided that the computer was worth forty thousand and there's a thirty thousand deductible - per computer. Any losses in your bank accounts are third-party losses and are not covered because the loss occurred in another location not owned by you.
I've seen quite a few policy documents and the wording worries me.
There's usually some guff about paying out if you get hacked, but they don't define what "hacked" means to them.
Given that most people use the word "hack" in a completely inappropriate way, I suspect that's where the biggest get out clause is. If your data is screwed because you willingly gave your user credentials away, then whilst you might think you've been "hacked" in reality you haven't and I'm sure the insurers will also take that view.
Redefine "hack" as Advanced IntelAIgent Doctoring for/from Postmodern Quacks*, and you'll have an accurate enough view of Primary Current Fields in Present Day Play, for who and/or what to be identified as Hands-On Accountable and Responsible with Future Command Controls.
Methinks though that is substantially more of a core kernel crack than a remote system hack ..... and an absolute nightmare for insurance to broker as untenable with both being practically and virtually impossible.
However, considering the present madness in crazy mayhem, surely a most welcome innovation/almighty universal experiment ...... the Product Placement and Project Deployment of Virtually Real Assets ....... :-) Hellishly Heavenly Ghosts with the Most.:-)
You should note that be a statement and no question to falsely manufacture the devils of monstrous doubt and patentable evil.
* .... quack
I can just see all the insurance technogabble now.
It will be basically a verbose and highly detailed though nonsensical version of "That's a fine Cyber® you have there. Shame if something happened to it that wasn't covered by our Policy©. Maybe you should have paid a higher premium."
Probably already expired policy's in my pocket somewhere.
Biting the hand that feeds IT © 1998–2020