"56% of respondents to a survey confirming that they had a formal cybersecurity strategy in place"
I wonder if the AA was one of these.
Insurers whose policies could give rise to claims for damage as a result of cyber attacks may have to adjust their policies or premiums to better reflect these risks, UK financial services regulatory bod Prudential Regulation Authority (PRA) has warned. Firms should also carry out regular ‘stress tests’ to ensure that they are …
“The PRA expects firms to adopt a proportionate approach when assessing their non-affirmative exposures. The firm’s underwriting and risk management functions should play a key role in leading this effort,” it said.
More of a key role than the IT dept?
Seems like box ticking to me.
Doubt it: the insurers see a big chance here and also a big stick with which to beat customers
I think you're right. They see the opportunity to hike premiums anyway, and then disallow any claims as (by definition) the IT security wasn't up to scratch.
I hope so, simply because I want to see what the results are.
Company: "Dear insurer, I decided to save money by not patching a critical system but still connected it to the internet with SMB wide open and I got ransacked by WCry. Please pay out on insurance"
Insurer: "......................."
That said... Maybe the "cyber" (people still use that word?!) risk payouts should come from the bloody large fines dropped onto companies that are lax with their so-called security. Fines need to hurt if they're going to have any effect, otherwise such things will just be factored into the cost of doing business.
Fines need to hurt if they're going to have any effect, otherwise such things will just be factored into the cost of doing business.
In most ordinary businesses fines are an exceptional cost of doing business. In financial services fines are a routine operating cost. For both scenarios, fines rarely reduce director and employee incentive rewards, so the problem is that the fines (usually) don't have any impact on those whose behaviour needs to change - and even if they did, they're far too long after the important decisions were taken to have any bearing on the future decision making process.
If fines are to change behaviour, they need to directly affect those who are making decisions or specifically doing something wrong (like mis-selling), and that includes potentially going after people who left the company long ago, who have retired and are now playing the "helpless pensioner" card, and making sure that the internal and external auditors are also clobbered if they didn't identify relevant major risks.
How can an insurer evaluate risk unless they have some insight into how the company manages its security policy? Once they find out how many systems are out of date or unpatched, and tell you "you will have a 600% increase in premiums next year unless you fix all these issues" the insurance company is basically in charge of your security policy from then on - they'll be sending out notices "please insure you have patched all Windows systems by July 15 if you want to maintain your Ransomware policy".