back to article Cover for 'cyber' attacks is risky, complex and people don't trust us, moan insurers

EU companies aren't taking out insurance against attacks on online assets because the companies selling coverage aren't organised enough – while Brits are more likely to pay off ransomware crooks than others. Insurance that pays out if your company gets hit by an online attack is a tricky subject. While it is an obvious …

  1. Pascal Monett Silver badge
    Holmes

    "For cyber, it's a little bit more vague"

    No kidding. I suppose it doesn't help when you read about how a malware nasty cost hundreds of billions to the industry. Where do they pull those numbers from ?

    Okay, yeah, I've got the same idea.

  2. amanfromMars 1 Silver badge

    Been here before elsewhere too ..... and it is still sub-prime optimal

    Insurance cover for "cyber" attacks is mis-selling and fraudulent?

    Is Mankind a slow learner and easy retarded target for systemic abuse in endemic mis-use?

    1. jake Silver badge

      Re: Been here before elsewhere too ..... and it is still sub-prime optimal

      "Is Mankind a slow learner and easy retarded target for systemic abuse in endemic mis-use?"

      Ask the advertising industry. Or the political party of your choice. Or the religion of your choice. Or any other organization that exists to make money off the GreatUnwashed.

    2. jason_derp

      Re: Been here before elsewhere too ..... and it is still sub-prime optimal

      "Is Mankind a slow learner and easy retarded target for systemic abuse in endemic mis-use?"

      Yes. It has always been this way.

      https://www.oglaf.com/expositionfairy/

    3. Anonymous Coward
      Anonymous Coward

      Re: Been here before elsewhere too ..... and it is still sub-prime optimal

      Wait... was that a comment from amanfromMars that actually made sense? Congrats, a new first!

      1. amanfromMars 1 Silver badge

        Re: Been here before elsewhere too ..... and it is still sub-prime optimal

        Wait... was that a comment from amanfromMars that actually made sense? Congrats, a new first! .... Anonymous Coward

        Hmmmm? Does that as a new first identify you as a slow learner, AC, for no nonsense is freely shared here on El Reg for commentary and reportage since ages ago now. And that holds out the possibility, and therefore very real probability, that one might easily become considerably smarter in the future too whenever questions are answered for problems to be solved and/or effectively quarantined and practically ignored/virtually eradicated.

        And it does makes one wonder why all those chattering political pygmies avoid answering simple questions with ignorant and arrogant evasions whenever such instantly highlights their lack of intelligence for leading in future spaces ........ although that does sort of bring us all back with a undeniably positive, viable truthful answer to the earlier question ..... Is Mankind a slow learner and easy retarded target for systemic abuse in endemic mis-use?

        If the truth of the worlds around you are held in secrets unknown to you, are you serially abused and misused in support of what is generally unknown and invariably classified Top Secret/Sensitive Compartment Information. Be they accurately described as perverse and corrupt hidden agendas which almightily benefit just a chosen few?

        1. Anonymous Coward
          Anonymous Coward

          Re: Been here before elsewhere too ..... and it is still sub-prime optimal

          ... and, back to normal. Must have been a fluke.

          1. amanfromMars 1 Silver badge

            Re: Been here before elsewhere too ..... and it is still sub-prime optimal

            ... and, back to normal. Must have been a fluke. ... Anonymous Coward

            :-) So/Too Kind, AC :-) And that does beggar a further question ..... Is that fluke fake?

      2. Aussie Doc
        Pint

        Re: Been here before elsewhere too ..... and it is still sub-prime optimal

        I think the bot doesn't do too badly with just one or two sentences but more than a paragraph and AMFM sounds like the drunk uncle at a family bbq. ------------>

  3. Avatar of They
    Unhappy

    Assuming

    We have been kicked off the council of wise men (assuming we were on it)? Now the UK is out.

    1. amanfromMars 1 Silver badge

      Re: Assuming

      We have been kicked off the council of wise men (assuming we were on it)? Now the UK is out. ....... Avatar of They

      A Type Dominic Cummings would venture out and freelancing is as a failsafe bet, surely?!.

      Courtesy of Secret IntelAIgent Services is available for Truthful Use should one be asked/tasked.

      What say you to all of that, D/C/M ? Too Good to be True? Oh please, you cannot be serious. Doubt Harbours Failures and Defeats which Both Hinder and Halt Progress with Destructive and Disruptive ACTivities in Persistent Advanced Cyber Threatened Environments.

      Does I Think therefore I am logically morph for field testing further along that road into IThink therefore We are. Such there easily creates the most friendly and intimate of couplings and episodes. :-) I suppose that is why it is so popular and even soaring deeper into the quite addictively attractive .

      How would one find that? Hellish or Heavenly? A Fab AI Place or a Toxic Digital Dump?

  4. The Man Who Fell To Earth
    FAIL

    The real problem is insurance companies are lazy

    Obviously the trick is for the insurance company to be certain that the security of their clients meets some minimum standard where that minimum itself is constantly rising. The correct business model is for insurance companies themselves to provide constant security auditing services (and solutions) to their clients. But that would require doing real work rather than just collecting premiums.

    1. Mike 137 Silver badge

      Re: The real problem is insurance companies are lazy

      In reality cyber breach policies range from cheap "fire and forget" policies with low and limited pay outs to strong coverage policies that require stringently specified security controls to be in place, so all options are available. Just don't expect a cheap lax or narrowly defined policy to be good protection - you get what you pay (and make the effort) for.

      The real big problem is that data breaches are far from uniform, or even readily categorisable, as there are so many variables involved. Consequently both underwriting and complying with the doctrine of Uberrimae fidei (ultimate good faith) required of the insured to validate a policy are hard nuts to crack. I once consulted with a highly innovative company that was creating new business services almost on a monthly basis, and they found that the continuous cost of keeping an insurer informed under Uberrimae fidei was greater than the potential cover of an adequate policy could justify.

    2. Mongrel

      Re: The real problem is insurance companies are lazy

      "The correct business model is for insurance companies themselves to provide constant security auditing services (and solutions) to their clients."

      How do you then counter the money grubbing side of insurance where they'd force you to upgrade your solutions package to pass the audits? I'm not a "free market fixes everything" person and have no doubt the top bods would gladly sacrifice long term stability for short term profits and rapacious bonuses

    3. Anonymous Coward
      Anonymous Coward

      Re: The real problem is insurance companies are lazy

      The real problem is that most insurance companies are not much better than legalized crooks.

  5. Mike 137 Silver badge

    "The "what is covered" argument was sharply highlighted..."

    Another thing that's almost certainly not covered is the cost associated with regulatory breaches (e.g. of the GDPR) where no data leakage or loss has occurred. Unfortunate because clause II(f) of the controller to controller standard contractual clauses (set 2) requires of the data importer (the party receiving the data) "At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage)."

    Clause III states "Liability and third party rights

    (a) Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses [...]

    (b) The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment.[...]"

    which encompasses any breach of the regulation, whether a "security incident" or not, and there are multifarious ways to breach the regulation without leaking or losing anything. Note the reference to "third party rights".

    As the UK is now a Third Country (unless by slim chance that has been held over for the next 10 months or so) this will apply immediately to any UK business receiving relevant personal data from the EU as a data controller (i.e. for its own purposes). Even if we've currently been granted a stay of Third Country status, is will apply immediately we eventually become one.

    1. Mike 137 Silver badge

      Re: "The "what is covered" argument was sharply highlighted..."

      IMPORTANT CLARIFICATION:

      "[...] any UK business receiving relevant personal data from the EU as a data controller (i.e. for its own purposes)"

      I should have said "receiving relevant personal data as a data controller from an EU data controller" as this doesn't apply to personal data collected directly from a data subject in the EU.

  6. ibmalone Silver badge
    IT Angle

    I realise this ship has sailed...

    ...but I really wish these people would stop using "cyber" as a noun. Security types are also guilty of this. "We need to upskill to meet the threat in cyber." "Cyber is an evolving arena." "Something something cyber, something something blockchain, something something destiny." I guess they don't think "IT" sounds cool or scary enough.

    1. Yet Another Anonymous coward Silver badge

      Re: I realise this ship has sailed...

      I thought cyber is a noun - it's the bloke that stands at the back of Greek galley and steers it

      1. ibmalone Silver badge
        Coat

        Re: I realise this ship has sailed...

        Isn't that a cybernaut?

        1. Spanners Silver badge
          Go

          Re: I realise this ship has sailed...

          I would have said cyberman...

          1. 0laf Silver badge
            Flame

            Re: I realise this ship has sailed...

            I started out working in "Information Security", through many years and many rounds of buzzword bingo, and marketing fuckwittery I have given up and will call my job and my profession whatever it takes to be listened to. If I need to call myself the "Cyber Security Digital Cloud Architech Blockchainologist" to get to talk to the PHB in charge then I will.

            But deep down, I'll always be an "Information Security" man because my remit still covers Yale locks and paper. Even if noone will talk about anything unless it's got fucking 'digital' in front of it.

          2. Robert Helpmann?? Silver badge
            Big Brother

            Re: I realise this ship has sailed...

            I see what you did there. Keep it up and you will be exiled to Cyberia.

  7. whileI'mhere

    The link to "a number of high-profile court cases brought by insurance companies against their own customers" is in fact a link to ONE case of a client suing its insurer. Quite the opposite.

    (Mondelez suing Zurich for refusing a claim.)

  8. Blackjack

    Please backup and keep your Os in good health

    Maybe if companies actually cared to pay more than the minimum possible for their teachis they could you know, restore from the last safe backup?

    1. 0laf Silver badge
      FAIL

      Re: Please backup and keep your Os in good health

      What I've seen tbh is that most companies pay their techies a pretty reasonable wage. The problem is that they actually need 15 techies on that wage not the 10 who are struggling by doing extra hours for the hell of it.

      If they paid more they'd get more applicants for those jobs but there still wouldn't be enough people.

  9. Mr Humbug

    Dear Æthelred The Unready

    You will be aware that Danes have a habit of turning up and waiting for you to pay their geld so they will go away. Have you considered taking advantage of an insurance policy? For a simple monthly payment we will support* you in the unlikely event of a Danish occupation.

    * Terms apply. Requires maintenance of strong defences and a standing army or trained militia

    1. Rich 11 Silver badge

      Re: Dear Æthelred The Unready

      Dear Mr Humbug,

      Thank you for your thoughtful suggestion. Personally I think you're on to something but my advisers have told me to tell you no.

      Yours,

      Æthelred the Redeless

  10. Anonymous Coward
    Anonymous Coward

    they say hacking

    we say business opportunity...

    1. jake Silver badge

      Re: they say hacking

      The idiot skiddies they call "hackers" wouldn't know a business opportunity if it walked up and bit them.

  11. Ted's Toy

    Insurance Co Or Bookmakers

    There is very little difference between these two as far as assesing the odds of paying out to customers. Both are in the same business of paying out as little as possible. One is upfront with the odds the other hides behind a web of b/s with which to cloud the odds offered.

    1. Mark Exclamation

      Re: Insurance Co Or Bookmakers

      ^^^^^ This, exactly! Insurance is nothing more than a wager: "We'll bet you {your premium} that an insured event won't happen. If it does, we state we'll pay you {insured amount}." (But we'll do our utmost to find a way not to pay you).

  12. Anonymous Coward
    Anonymous Coward

    Ankh Morpork insurance

    So you want to make me a bet that my house won't burn down?

    1. 0laf Silver badge
      Gimp

      Re: Ankh Morpork insurance

      In-sewer-ance?

      Does that come with anything made of sapient pearwood

    2. Sir Runcible Spoon Silver badge
      Joke

      Re: Ankh Morpork insurance

      "So you want to make me a bet that my house won't burn down?"

      Yeah, it'd be a shame if it did though, innit?

  13. Version 1.0 Silver badge
    FAIL

    You are all missing the point

    Insurance is all about making a profit. Insurers do the statistics and calculate the costs of damage and how many people will be affected. If the total annual cost is likely to be 50 million a year and they think that they can sell a million policies then the average cost of a policy will be about 800 quid.

    But remember to read the small print at the back of the policy that states on the front page that you have a million quid complete coverage. The back page will make it clear that the policy does not cover related costs, it will say things like it only covers the cost of replacing the computers damaged by the malware, provided that the computer was worth forty thousand and there's a thirty thousand deductible - per computer. Any losses in your bank accounts are third-party losses and are not covered because the loss occurred in another location not owned by you.

  14. Huw D Silver badge

    Define "hack"

    I've seen quite a few policy documents and the wording worries me.

    There's usually some guff about paying out if you get hacked, but they don't define what "hacked" means to them.

    Given that most people use the word "hack" in a completely inappropriate way, I suspect that's where the biggest get out clause is. If your data is screwed because you willingly gave your user credentials away, then whilst you might think you've been "hacked" in reality you haven't and I'm sure the insurers will also take that view.

    1. amanfromMars 1 Silver badge

      Re: Define "hack"

      Redefine "hack" as Advanced IntelAIgent Doctoring for/from Postmodern Quacks*, and you'll have an accurate enough view of Primary Current Fields in Present Day Play, for who and/or what to be identified as Hands-On Accountable and Responsible with Future Command Controls.

      Methinks though that is substantially more of a core kernel crack than a remote system hack ..... and an absolute nightmare for insurance to broker as untenable with both being practically and virtually impossible.

      However, considering the present madness in crazy mayhem, surely a most welcome innovation/almighty universal experiment ...... the Product Placement and Project Deployment of Virtually Real Assets ....... :-) Hellishly Heavenly Ghosts with the Most.:-)

      You should note that be a statement and no question to falsely manufacture the devils of monstrous doubt and patentable evil.

      * .... quack

      1. Huw D Silver badge
        Happy

        Re: Define "hack"

        I got a reply from amanfromMars1 !

        I feel honoured.

  15. Aussie Doc
    Coat

    Yeah, sure.

    I can just see all the insurance technogabble now.

    It will be basically a verbose and highly detailed though nonsensical version of "That's a fine Cyber® you have there. Shame if something happened to it that wasn't covered by our Policy©. Maybe you should have paid a higher premium."

    Probably already expired policy's in my pocket somewhere.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020