back to article Insurance companies now telling you what tech to buy with um-missable price signals

Global mega-insurers Allianz and Aon have just given IT buyers and the security industry plenty to ponder by cooking up a deal with Apple and Cisco that makes users of those companies’ kit eligible for a special class of cyber insurance. Part of the new deal is business as usual, as it will see “Aon cyber security …

  1. Anonymous Coward
    Anonymous Coward

    FTFY

    buyers will have templates explaining what they need to buy to demonstrably reduce risk which vendors are paying insurers to promote their products from their marketing budgets.

    1. FrozenShamrock

      Re: FTFY

      Except, you have to remember the Insurance companies are putting their own money on the line by offering lower premiums if you use those products. If they offer you a lower premium for using a product that is bad, it will come back and bite them in their wallet costing them much more than whatever they would be paid by the vendor. This is not like Gartner who makes recommendations with no skin in the game. I'm not saying their recommendations will be 100% correct; but, they have too much of their own money at stake to simply sell a spot on their preferred list.

    2. Gigabob

      Re: FTFY

      Another point is that if you follow the insurance template and suffer a major mischief due to a design flaw sufficient to sue Apple or Cisco for - a la use of Intel CPU's - then the insurance company will get added to the suit. Insurance companies forte is managing risk. I would thus want to have my flinty eyed lawyers and accountants review their endorsements to understand what constitutes an act of a vengeful digital deity that the insurance company absolves its responsibility for.

  2. Destroy All Monsters Silver badge
    Windows

    Good!

    This is exactly how it should work.

    Let the moans begin.

    They will be completely at odds with the usual cries of "hit the security-unaware ones in the wallet", some people just want to live in a quantum superposition dreamland.

  3. Terry 6 Silver badge
    Joke

    Definition of an actuary

    Someone who finds accountancy too exciting.

    1. Chris Miller

      Re: Definition of an actuary

      More properly:

      Someone who always wanted to be an accountant, but lacked the personality for it.

      1. Spudley

        Re: Definition of an actuary

        More properly:

        Someone who always wanted to be an accountant, but lacked the personality for it.

        Hugh Grant stared in a movie once which proves that if you try hard enough it is possible to Love Actuary.

        1. Doctor Syntax Silver badge

          Re: Definition of an actuary

          " Love Actuary."

          You should be ashamed of yourself. Have an upvote.

    2. Anonymous Coward
      Anonymous Coward

      Re: Definition of an actuary

      The man in the picture is way too excited to be an actuary.

  4. Terry 6 Silver badge
    Joke

    What's the difference between an actuary and a computer

    A computer has a personality.

  5. DougS Silver badge

    Selling insurance against breakins seems insane

    If you buy fire insurance it is pretty easy to evaluate how a building complies with code, how well the occupants comply with code, what materials it is constructed from, if it has fire suppression, if it has an alarm, what the typical response time of the local fire department is, etc.

    If you buy insurance against getting hacked, there is a loose list of "best practices" - many of which haven't been updated since the 90s and are so obsolete as to be counterproductive - and you have to actually do all the things your policies say you're going to do or they are worthless (like keeping current on patches) One employee getting phished can let an attacker inside and all your perimeter defenses are worthless, you may have intrusion detection but 99% of the time it is either so noisy real alerts are missed or so many alerts have been shut off to keep it from being noisy that real alerts are suppressed, and the intruder goes unnoticed.

    If your business is struggling and you set fire to the place there are decades of practice in forensic fire examination that has a good chance of proving it was arson. If you set yourself up to get hacked by someone halfway around the world to collect on the insurance money, good luck to your carrier being able to prove it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Selling insurance against breakins seems insane

      First, try getting this cover for a reasonable premium.

      Second, read the small print.

      Third, insurers won't offer cover if they can't make money.

      Insurance is a protection against financial loss. The insurer will insist on minimum standards which will improve the protection levels. The no claims discount will be an interesting calculation.

      My coat is the one with the actuarial tables in it.

    2. Naselus

      Re: Selling insurance against breakins seems insane

      Um, most of the things you mention are good reasons why having an outside insurance agent to force you to comply with best practices is a good thing, tbh.

      Keeping current on patches? Something we're always complaining ought to be in place, and roundly mock any company which is hacked for failing to do so.

      One employee getting phished? Forces you to keep your anti-phishing training and automated email filters up to date and to enforce least privilege properly. If Susie in the call centre can't access anything, her being phished doesn't matter.

      IDS having all it's alerts switched off? Not something that ought to be happening either.

      Many of these things are areas IT and IS have spent years trying to push companies toward, but companies themselves have failed to see any reason to do so. Having an insurance company demand compliance to provide coverage may actually make C-suite or board members take it a bit more seriously.

    3. Anonymous Coward
      Anonymous Coward

      Re: Selling insurance against breakins seems insane

      > worthless (like keeping current on patches)

      Whilst some outdated security practices are worthless - like password complexity tests plus repeated password changes - keeping current on patches is definitely not.

      If your OS or applications have known holes, they *are* going to get exploited sooner or later.

      > One employee getting phished can let an attacker inside and all your perimeter defenses are worthless

      That's really just saying "perimeter defenses are worthless", which is indeed true.

      See Google's "BeyondCorp" paper for a better way of doing it. Basically: don't trust anything inside the network any more than you trust the outside. All apps must validate both the device and the end user (or sit behind a proxy which does that). And all devices must prove they have been locked down and are fully patched.

  6. Chris Hills
    Thumb Down

    I disagree

    I disagree with mandating specific products. They should mandate that you use only products supporting a specific standard (e.g. from the B.S.I. - they have standards for computer security, right?).

    1. Swarthy Silver badge
      Thumb Up

      Re: I disagree

      I agree. Insurance companies charging extra for poor security is a good thing, as above, it may actually get the C-suites to reduce their rectal-cranial inversions.

      However, mandating certain brands for the discount seems awfully prone to back-handers, overlooking niche players, and a ramping up of the inverse-hammer fallacy (Hammer Fallacy: If all you have is a hammer, every problem looks like a nail; Inverted: If we don't have the solution, it is obviously not a problem.). EG: Getting a Cisco Firewall approved instead of <OtherBrand> that has features that are needed for the site, thus reducing security and effectiveness.

      1. Anonymous Coward
        Anonymous Coward

        Re: I disagree

        Look out for insurance companies buying IT security firms, or security firms offering insurance if you use their products. This could become very confusing.

      2. Naselus

        Re: I disagree

        Agreed; especially since one of the companies which their mandating as 'secure' has had repeated, embarrassing password-related fails in the past few months.

  7. Swarthy Silver badge
    WTF?

    Waitaminnit.....

    Wait, Apple and Cisco get the discount? Does that mean that eye-oh-ess is the "template" for the security discount? I can't see that back-firing at all.....

    1. Blotto Bronze badge

      Re: Waitaminnit.....

      "eye-oh-ess "

      must be like when i get bombarded by recruiters looking for iPhone developers as i have decades of IOS experience on my CV. Twits don't realise

      1. ArrZarr Silver badge

        Re: Waitaminnit.....

        @Blotto

        When pressed, do you just point out that fractions are treated in the plural sense - 0.5 decades as opposed to 0.5 decade.

        My millennia of experience in being sneaky is paying dividends.

  8. Claptrap314 Bronze badge

    About time

    After the Great Fire of London, the reinsurance companies refused to issue policies to insurance companies that were overly exposed to wooden structures.

    Here in the US, insurers got so tired of dodgy electrical appliances that they formed a group to inspect and recommend them--"Underwriter's Laboratory", also known as "UL".

    So it's not a surprise that the insurers are taking this sort of step. The surprise is that they are recommending Cisco. Ahh, well. That's what bankruptcies are for...

    1. jdoe.700101

      Re: About time

      At least Adobe isn't on the list...yet.

  9. hoola

    What could possibly go wrong......

    Anything like this stinks of back-handers and the associated hospitality. I don't care who the vendors are, it is the same. The fact it just happens to be two large American corporations that believe they should have 100% of the market is a minor detail.

    1. Frank Gerlach #2

      Really ?

      In my world, MSFT and Adobe dominate markets while not getting security right. Not sure about Cisco, but Apple has indeed a record of serious measures towards security.

      For example they encourage (force ?) developers to sandbox their apps, which is much better than what MSFT does: google "Apple App Sandbox in Depth"

      Of course they also have issues, but at least they appear to work on systemic fixes instead of just more band-aids.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019